Exam Associate Cloud Engineer topic 1 question 158 discussion

Correct Answer is (C): Understanding IAM custom roles Key Point: Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions. Basic concepts Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, your custom roles will not be updated automatically. When you create a custom role, you must choose an organization or project to create it in. You can then grant the custom role on the organization or project, as well as any resources within that organization or project. https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts

"You want to prevent Google Cloud product changes from broadening their permissions in the future." then CUSTOM ROLE

The answer would be B as it will help the DevOps team to work on any resources for others future production project.

The giveaway is "prevent google cloud product changes from broadening their permissions". Which means that we need to create a custom role. Also they mentioned all production services and not production projects so C

Custom roles help you enforce the principle of least privilege, because they help to ensure that the principals in your organization have only the permissions that they need. Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. When you create a custom role, you must choose an organization or project to create it in. You can then grant the custom role on the organization or project, as well as any resources within that organization or project. Note: You cannot define custom roles at the folder level. If you need to use a custom role within a folder, define the custom role at the organization level. https://cloud.google.com/iam/docs/roles-overview#custom

Custom roles help you enforce the principle of least privilege, because they help to ensure that the principals in your organization have only the permissions that they need. Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. When you create a custom role, you must choose an organization or project to create it in. You can then grant the custom role on the organization or project, as well as any resources within that organization or project. Note: You cannot define custom roles at the folder level. If you need to use a custom role within a folder, define the custom role at the organization level. https://cloud.google.com/iam/docs/roles-overview#custom

C is the correct answer

C is correct

Had this question 2 days ago. C is correct.

C is the correct answer, give the devops team the least privileged role, only the required permissions to access the production services, as the question states 'to prevent product changes' for which editor role is not recommended either at Project or organizational level, organizational level access gives broad scope to all the projects in the organization, this role cannot be given to the devops team. A. Editor has privilege to change the products, and the scope is broad B. Editor has privilege to change the products C. Recommended, as this will give only required permission at project level to devops team. D. They require only project level access. This gives access to all project in the organization.

Correct Answer is (C): Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, your custom roles will not be updated automatically.

correct answer is A

There is no doubt, the correct answer is C

C is right

C seems to be the popular answer, and it makes sense because the generic roles are not sufficient for these specific requirements. I added this voting comment because the community answers are not currently visible.

I vote for C

I initially thought C. But I think this may be a trick question. "The DevOps team needs access to ALL of the PRODUCTION services..." which are in a "single" project. If "Project Editor" is assigned at on the "production" project it gives them access to "ALL" production services including product changes in the "production" project. A custom role would have to be modified to get access to product changes in the production project that required additional permissions, so the DevOps team would not have access to "ALL" services until the custom role is modified. I am changing my choice to B.