GCP Professional Cloud Security Engineer Practice Question
A security team wants to tighten access controls in a large GCP organization where IAM roles are currently bound to dozens of individual user principals. Their goals are to 1) simplify future permission reviews, 2) delegate day-to-day onboarding and off-boarding of developers to team leads, and 3) ensure that no users accidentally retain permissions after leaving a group. Which approach best meets ALL three goals?
Assign broad organization-wide roles (such as roles/viewer) directly to every user and rely on audit logs to detect misuse.
Create least-privilege Google Groups for each functional role, grant all required IAM roles to those groups, and delegate group-membership administration to team leads while synchronizing group membership with the corporate directory.
Require every project owner to manage IAM bindings for their own project resources instead of centralizing permissions in groups.
Keep existing individual IAM bindings but place all projects inside a VPC Service Control perimeter to prevent lateral movement and data exfiltration.
Granting IAM roles to purpose-specific Google Groups (for example, "[email protected]") centralizes policy bindings, so an auditor can review access by looking at the single group instead of hundreds of users. Delegating group-membership management to team leads with the Groups Admin role lets them add or remove members without changing IAM policies, satisfying the operational requirement. Enforcing auto-sync of group membership with the company's authoritative HR data source (via the Cloud Identity Groups API or Google Cloud Directory Sync) guarantees that when an employee leaves or changes roles, their account is promptly removed from the group and their inherited permissions automatically disappear. Simply granting organization-level roles to all users or requiring project owners to manage IAM directly would either violate least privilege or fail to reduce administrative overhead. Relying only on VPC Service Controls secures data exfiltration paths but does not address user-level permission management.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Google Group and how is it used in IAM roles?
Open an interactive chat with Bash
How does synchronizing Google Groups with a corporate directory enhance security?
Open an interactive chat with Bash
What is least privilege access, and why is it important?
Open an interactive chat with Bash
What are Google Groups, and why are they used in GCP IAM management?
Open an interactive chat with Bash
How does synchronizing group membership with a corporate directory support security goals?
Open an interactive chat with Bash
What is the least-privilege principle, and why is it critical for IAM in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .