ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 71 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 71
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You will create a new Service Account that should be able to list the Compute Engine instances in the project. You want to follow Google-recommended practices.
What should you do?

  • A. Create an Instance Template, and allow the Service Account Read Only access for the Compute Engine Access Scope.
  • B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
  • C. Give the Service Account the role of Compute Viewer, and use the new Service Account for all instances.
  • D. Give the Service Account the role of Project Viewer, and use the new Service Account for all instances.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by MohitA at Sept. 2, 2020, 10:19 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
MohitA
Highly Voted 3 years, 7 months ago
B, https://cloud.google.com/compute/docs/access/iam
upvoted 16 times
mlyu
3 years, 7 months ago
Although it is not encourage to use custome role, but last sentence in the answer C makes B be the only option
upvoted 7 times
...
AzureDP900
1 year, 5 months ago
B is right
upvoted 2 times
...
...
sudarchary
Highly Voted 2 years, 3 months ago
B. The only option that adheres to the principle of least privilege and meets question requirements is B
upvoted 5 times
...
ArizonaClassics
Most Recent 7 months, 2 weeks ago
B. Create a custom role with the permission compute.instances.list and grant the Service Account this role: This follows the principle of least privilege by granting only the specific permission needed.
upvoted 2 times
...
Brosh
1 year, 4 months ago
I don't get why is it not C, you grant that specific service account the role over all instances, is it wrong because that service account will be able to view not only compute instances?
upvoted 2 times
...
shayke
1 year, 4 months ago
Selected Answer: B
B is the right ans - you only want to list the instances
upvoted 3 times
...
Meyucho
1 year, 4 months ago
Selected Answer: B
With C the SA will list ONLY the instances that are configured to use that SA. The option B will give permissions to list ALL instances.
upvoted 3 times
...
AwesomeGCP
1 year, 6 months ago
Selected Answer: B
B. Create a custom role with the permission compute.instances.list and grant the Service Account this role.
upvoted 3 times
...
nbrnschwgr
1 year, 8 months ago
C. because google recommends pre-defined narrow scope roles over custom roles.
upvoted 2 times
...
Roflcopter
1 year, 8 months ago
Selected Answer: B
Key here is "and grant the Service Account this role.". C and D are giving this role to ALL instances which is overly permissive. A is wrong. Only choice is B
upvoted 5 times
...
cloudprincipal
1 year, 10 months ago
Selected Answer: B
The roles/compute.viewer provides a lot more privileges than just listing compute instances
upvoted 4 times
...
cloudprincipal
1 year, 10 months ago
Selected Answer: C
Compute Viewer Read-only access to get and list Compute Engine resources, without being able to read the data stored on them. https://cloud.google.com/compute/docs/access/iam#compute.viewer
upvoted 2 times
cloudprincipal
1 year, 10 months ago
This is incorrect, as Compute Viewer provides a lot more than what is required
upvoted 1 times
...
...
[Removed]
3 years ago
I think C is good
upvoted 4 times
...
DebasishLowes
3 years, 1 month ago
Ans : B
upvoted 1 times
...
dtmtor
3 years, 1 month ago
Ans is B
upvoted 1 times
...
[Removed]
3 years, 6 months ago
Ans - B
upvoted 1 times
...
genesis3k
3 years, 6 months ago
Answer is B, based on least privilege principle.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago