GCP Professional Cloud Security Engineer Practice Question
Your security team must ensure that members of the group [email protected] can start, stop, or reset Compute Engine VMs in the production project only when both of the following are true:
Their source IP is within the corporate VPN subnet 203.0.113.0/24.
The request is made between 18:00 and 06:00 UTC on weekdays. All other IAM permissions for these users must remain unchanged, and the solution should introduce minimal ongoing operational effort. Which approach should you take?
Create a project-level IAM binding that grants the compute.instanceAdmin.v1 role to the group and add a CEL condition that allows the permission only when request.ip matches "203.0.113.0/24" and the request time is between 18:00 and 06:00 UTC on Monday-Friday.
Deploy Cloud Functions that grant the compute.instanceAdmin.v1 role to the group at 18:00 UTC and revoke it at 06:00 UTC, and add a firewall rule that only allows SSH from 203.0.113.0/24.
Set the organization policy constraint "compute.vmExternalIpAccess" to deny operations from addresses outside 203.0.113.0/24 and include a time-based condition covering 18:00-06:00 UTC on weekdays.
Define an Access Context Manager access level containing the VPN subnet and business-hour schedule, then place the production project in a VPC Service Controls perimeter that requires this access level for the Compute Engine API.
The requirement can be met with a single IAM conditional role binding. IAM Conditions let you attach a CEL expression to any IAM policy binding and evaluate context attributes such as request.ip, request.time, and weekday(). Grant the group the compute.instanceAdmin.v1 role on the project and add a condition like:
This enforces both the VPN subnet and time-of-day/weekday requirements without additional automation.
The other options are insufficient or higher-maintenance:
Access Context Manager levels and VPC Service Controls cannot restrict granular IAM actions like starting VMs and do not support time-based conditions.
Scheduling Cloud Functions to add and remove bindings introduces operational complexity and risk of drift, and firewall rules control network traffic, not IAM permissions.
The compute.vmExternalIpAccess organization policy limits assignment of public IPs, not who can invoke start/stop APIs or when.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is IAM conditional role binding in GCP?
Open an interactive chat with Bash
What is the purpose of CEL expressions in GCP IAM?
Open an interactive chat with Bash
How does the compute.instanceAdmin.v1 role work in GCP?
Open an interactive chat with Bash
What is IAM and how do IAM Conditions work in GCP?
Open an interactive chat with Bash
What is CEL and how does it apply to IAM policies?
Open an interactive chat with Bash
What is the difference between Access Context Manager and IAM Conditions in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .