GCP Professional Cloud Architect Practice Question
A company runs a Compute Engine VM under the service account [email protected]. The VM must (1) pull messages from a single Pub/Sub subscription called orders-sub and (2) write processed results as objects into the Cloud Storage bucket gs://order-results, both in the inventory-prod project. Today the service account has roles/pubsub.subscriber and roles/storage.admin on the entire inventory-prod project. The security team wants to apply the principle of least privilege without disrupting the workload. What should you do?
Move the subscription and bucket to a separate project and grant the service account the Editor role on that new project.
Keep the current project-level roles but add an IAM condition to each so they apply only during business hours.
Replace the two existing roles with a single custom role that includes pubsub.subscriptions.consume and storage.objects.* permissions, and grant the custom role on the entire project.
Remove the project-level bindings and grant the service account the Pub/Sub Subscriber role on the orders-sub subscription and the Storage Object Creator role on the gs://order-results bucket.
Granting roles at the narrowest possible scope with only the permissions required satisfies least-privilege principles. The VM needs to consume messages from one subscription and create objects in one bucket. Granting Pub/Sub Subscriber on that specific subscription and Storage Object Creator on the specific bucket gives exactly those abilities and nothing more. Granting a custom role or broad project-level roles still exposes the service account to unnecessary permissions across the whole project. Using IAM Conditions to limit by time does not remove excessive resource scope, and granting the Editor role in another project vastly over-privileges the account.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'Principle of Least Privilege' mean in cloud security?
Open an interactive chat with Bash
What is the role of the Pub/Sub Subscriber in Google Cloud Pub/Sub?
Open an interactive chat with Bash
What does the Storage Object Creator role allow in Cloud Storage?
Open an interactive chat with Bash
What is the principle of least privilege in GCP?
Open an interactive chat with Bash
What is the difference between project-level vs resource-level IAM roles in GCP?
Open an interactive chat with Bash
What does the Pub/Sub Subscriber role and Storage Object Creator role allow in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .