While reviewing a project's IAM policy, you see that a non-human service account has been granted the basic Owner role so it can create and manage Cloud Storage buckets for a data-ingest job. The security lead asks why this assignment should be replaced with a more specific predefined role. Which statement best explains the risk of keeping the Owner assignment?
The Owner role allows the service account to manage IAM policies and billing settings across the entire project, far exceeding the permissions required for bucket creation.
The Owner role does not include storage.buckets.create, so the service account still cannot create buckets, making the assignment ineffective.
Basic roles such as Owner automatically downgrade to Viewer after 30 days of inactivity, so the access would eventually be lost.
Owner permissions apply only to Cloud Storage resources, so granting it is redundant but otherwise harmless to other services.
The basic Owner role contains every permission that exists in the project, including administrative permissions such as changing IAM policies and managing billing accounts. Granting it to a service account violates the principle of least privilege because the account could modify its own or others' access, create or delete resources in any service, and change billing settings-far more capability than is needed just to create Cloud Storage buckets. The other statements are incorrect: Owner already includes storage permissions, it does not automatically downgrade over time, and its permissions are project-wide, not limited to Cloud Storage.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service account in GCP?
Open an interactive chat with Bash
What is the principle of least privilege in IAM policies?
Open an interactive chat with Bash
What are predefined roles in GCP IAM, and why are they preferred over basic roles?
Open an interactive chat with Bash
Why is the principle of least privilege important in IAM?
Open an interactive chat with Bash
What predefined role would be more appropriate for creating and managing Cloud Storage buckets?
Open an interactive chat with Bash
How can granting excessive permissions affect project security?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .