GCP Professional Cloud Security Engineer Practice Question
Your organization must ensure that, except for the central backup service account ([email protected]), no identity can ever delete objects from the legacy archive bucket gs://prod-archive. The bucket already inherits several project-level bindings that grant roles/storage.objectAdmin to numerous teams, and more permissions might be added later. You are not allowed to modify or remove any existing allow bindings on the project or bucket. What is the most future-proof way to meet the requirement with the least ongoing maintenance effort?
Attach a project-level IAM Deny policy that lists storage.objects.delete in deniedPermissions, targets principal://* (all principals), and lists serviceAccount:[email protected] in exceptionPrincipals.
Add an IAM Condition to every current and future roles/storage.objectAdmin binding that allows deletes only when request.auth.principal equals the backup service account.
Remove the existing roles/storage.objectAdmin bindings, replace them with custom roles that exclude storage.objects.delete, and grant roles/storage.objectAdmin on the bucket only to the backup service account.
Create an organization-level IAM Deny policy that blocks storage.objects.delete for everyone, then add a bucket-level allow binding giving roles/storage.objectAdmin to the backup service account so it overrides the deny.
In Google Cloud IAM, deny policies are evaluated before any allow bindings at the same or lower level, and an allow binding can never override a deny. Although Cloud Storage buckets do not support attached deny policies, you can attach a deny policy to the project that owns the bucket. By creating a project-level deny rule that blocks storage.objects.delete for all principals while adding serviceAccount:[email protected] to exceptionPrincipals, you guarantee that deletes are prevented for everyone except the backup service account. Because the deny applies before any current or future allow bindings inherited by the bucket, no additional maintenance is required when new roles are granted. Approaches that rely on editing every allow binding or custom role are error-prone and require continual updates, and an allow binding cannot override a deny, so granting an Allow only to the backup account after a global deny would not work unless that account is exempted in the deny policy itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Google Cloud IAM Deny Policy?
Open an interactive chat with Bash
What are exceptionPrincipals in IAM Deny Policies?
Open an interactive chat with Bash
Why is the IAM Deny policy more future-proof than modifying bindings or roles?
Open an interactive chat with Bash
What is an IAM Deny policy in Google Cloud?
Open an interactive chat with Bash
How are exceptions handled in IAM Deny policies?
Open an interactive chat with Bash
What is the difference between project-level and bucket-level IAM policies in Cloud Storage?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .