GCP Professional Cloud Security Engineer Practice Question
Your company's Cloud Identity structure has an Organization node and separate folders for each business unit. Network engineers need read-only visibility into every project inside their own business unit's folder, while developer groups must only be able to start and stop Compute Engine VM instances within their respective projects. You want a scalable, least-privilege IAM design that minimizes ongoing policy maintenance. What should you do?
Assign organization-level Viewer to network engineers and a custom start/stop VM role to all developer groups across every project via a single organization-level binding.
Give each business unit's network engineer group the Viewer (roles/viewer) role on the Organization node; grant developers the Compute Instance Admin (roles/compute.instanceAdmin.v1) role on their projects.
Give each business unit's network engineer group the Browser (roles/browser) role on its folder; grant developers the Compute Admin (roles/compute.admin) role on the folder so it cascades to all projects.
Give each business unit's network engineer group the Viewer (roles/viewer) role on its folder; create one custom role containing only compute.instances.start and compute.instances.stop, and grant that role to each project's developer group.
Granting the basic Viewer role on each business-unit folder gives network engineers inherited, read-only access to all projects in their scope without exposing resources in other folders or permitting modifications. Developers need only two permissions-compute.instances.start and compute.instances.stop-so creating one cross-project custom role with exactly those permissions and binding it at the individual project level follows the principle of least privilege. This approach keeps broad but low-risk permissions high in the hierarchy and applies narrowly scoped, task-specific permissions where they are required, while avoiding the overhead of per-resource bindings or excessively permissive predefined roles. Granting Viewer at the organization level would overexpose data, using Browser would not let engineers view all resource details, and assigning high-level roles such as Compute Admin or setting org-wide bindings would violate least-privilege and increase risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM in GCP?
Open an interactive chat with Bash
How does the principle of least privilege apply to IAM roles?
Open an interactive chat with Bash
What is a custom role in GCP, and why is it useful?
Open an interactive chat with Bash
What does the Viewer role (roles/viewer) in IAM allow?
Open an interactive chat with Bash
What is a custom IAM role, and how does it differ from predefined roles?
Open an interactive chat with Bash
What is the principle of least privilege in IAM design?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .