Your security team wants to let the on-call operators restart production Compute Engine VMs during incidents, but not create, delete, or modify any other resource. You inspected predefined roles such as Compute Instance Admin (v1) and found they grant many permissions beyond starting and stopping instances. What is the most appropriate IAM approach to meet the requirement while following least-privilege guidelines?
Grant the operators group the predefined Editor role on the project and rely on audit logs for oversight.
Grant the operators group the predefined Compute Instance Admin (v1) role on the project.
Enable OS Login and grant the operators group roles/iam.serviceAccountUser on the default Compute Engine service account.
Create a custom role containing only compute.instances.start and compute.instances.stop permissions, then bind it to the operators group.
Compute Instance Admin (v1) and other predefined Compute Engine roles contain numerous permissions, including instance creation and deletion. Because there is no predefined role limited to just compute.instances.start and compute.instances.stop, the least-privilege solution is to build a custom role that includes only those two permissions and then bind that role to the operators group. Granting broad roles like Editor or Instance Admin would violate least-privilege, and roles/iam.serviceAccountUser only lets users act as a service account; it does not confer the ability to start or stop VM instances by itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the concept of least-privilege in IAM?
Open an interactive chat with Bash
How do you create a custom IAM role in GCP?
Open an interactive chat with Bash
What is the difference between predefined roles and custom roles in GCP IAM?
Open an interactive chat with Bash
What is a custom role in GCP IAM?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
How does binding roles to groups in GCP IAM work?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Configuring access and security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .