GCP Professional Cloud Security Engineer Practice Question

Your security team must ensure that members of the group [email protected] can start, stop, or reset Compute Engine VMs in the production project only when both of the following are true:

Their source IP is within the corporate VPN subnet 203.0.113.0/24.
The request is made between 18:00 and 06:00 UTC on weekdays. All other IAM permissions for these users must remain unchanged, and the solution should introduce minimal ongoing operational effort. Which approach should you take?

Set the organization policy constraint "compute.vmExternalIpAccess" to deny operations from addresses outside 203.0.113.0/24 and include a time-based condition covering 18:00-06:00 UTC on weekdays.
Deploy Cloud Functions that grant the compute.instanceAdmin.v1 role to the group at 18:00 UTC and revoke it at 06:00 UTC, and add a firewall rule that only allows SSH from 203.0.113.0/24.
Create a project-level IAM binding that grants the compute.instanceAdmin.v1 role to the group and add a CEL condition that allows the permission only when request.ip matches "203.0.113.0/24" and the request time is between 18:00 and 06:00 UTC on Monday-Friday.
Define an Access Context Manager access level containing the VPN subnet and business-hour schedule, then place the production project in a VPC Service Controls perimeter that requires this access level for the Compute Engine API.

Report Issue

Answer Description

The requirement can be met with a single IAM conditional role binding. IAM Conditions let you attach a CEL expression to any IAM policy binding and evaluate context attributes such as request.ip, request.time, and weekday(). Grant the group the compute.instanceAdmin.v1 role on the project and add a condition like:

(request.ip in ["203.0.113.0/24"]) &&
((request.time.getHours("UTC") >= 18 || request.time.getHours("UTC") < 6) &&
  (request.time.getDayOfWeek("UTC") >= "MONDAY" && request.time.getDayOfWeek("UTC") <= "FRIDAY"))

This enforces both the VPN subnet and time-of-day/weekday requirements without additional automation.

The other options are insufficient or higher-maintenance:

Access Context Manager levels and VPC Service Controls cannot restrict granular IAM actions like starting VMs and do not support time-based conditions.
Scheduling Cloud Functions to add and remove bindings introduces operational complexity and risk of drift, and firewall rules control network traffic, not IAM permissions.
The compute.vmExternalIpAccess organization policy limits assignment of public IPs, not who can invoke start/stop APIs or when.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.