Challenge your understanding of IAM roles, permissions, and security practices within GCP. This quiz helps reinforce essential concepts related to access control, least privilege, and policy management in cloud environments.
Which type of IAM role grants the broadest set of permissions across all resources in a given project, such as compute instances and storage buckets?
Explanation: The Owner role provides the highest level of privileges, including administrative controls over all resources and permissions within a project. Editor pole is a misspelled distractor and typically provides broad but less-than-owner permissions. A Custom role allows the selection of specific permissions, so it might not be as broad unless configured as such. The Viewer role only allows read access, not full administrative capabilities.
In a scenario where an employee only needs to view cloud storage files but not make changes, which built-in IAM role should be assigned to them?
Explanation: The Storage Viewer role grants read-only access to storage resources, aligning with the principle of least privilege for someone who just needs to view files. Storage Admin allows full control, including delete permissions, which exceeds the required access. Storage Writer and Storage Creator enable modifications or creation, which are unnecessary in this scenario.
If a user is granted the 'Editor' role at the organization level, what access do they have for newly created projects under that organization?
Explanation: When a user is assigned the Editor role at the organization level, that permission is inherited by all projects under the organization, including new ones. No access is incorrect because inheritance provides rights to sub-resources. Only read access and manual granting do not accurately reflect the impact of organization-level role assignments.
Why might a security team create a custom IAM role instead of using predefined roles for granting access to a service account in a cloud project?
Explanation: Custom IAM roles allow for granular assignment of only the permissions needed for a particular use case, enhancing security and minimizing unnecessary access. Avoiding permission inheritance is not a direct benefit of custom roles. Hiding roles from audits is not possible and would be a security risk. Typographical errors in permissions would not serve any valid purpose.
What is a potential security risk of granting a service account permissions that are broader than necessary within a project?
Explanation: If a service account has excessive permissions and its credentials are leaked, it could be used by an attacker to perform unauthorized actions. Broad permissions do not directly increase billing costs, affect network speed, or cause automatic deletion. Those options are incorrect and reflect misunderstandings of permission risks.