Assess your understanding of managing permissions and roles for cloud-based compute resources like virtual machines and serverless functions. Explore key concepts related to identity access management in connection with automated services and ensure secure, effective access control in diverse architectures.
When launching a virtual machine, what is the primary purpose of assigning an identity and access role to the instance?
Explanation: Assigning an identity and access role enables the instance to securely communicate with other resources without embedding sensitive keys. Increasing bandwidth or assigning a static IP is handled elsewhere, not through roles. Automatic software updates are managed by configuration or agents, not directly by roles.
A developer wants a serverless function to write logs to a monitoring service. Which method should be used to grant this permission?
Explanation: Attaching an execution role allows the function to securely interact with other services. Firewall rules only control network traffic, not permissions. Storing credentials in environment variables is insecure. Security groups are unrelated to service privileges.
Which statement correctly describes a resource policy in the context of cloud storage?
Explanation: A resource policy defines which identities can use a resource and with what actions. Allocating disk space or assigning encryption keys involves different configurations. Monitoring is handled by logging features, not policies themselves.
What is the function of an instance profile when configuring a virtual machine for role-based permissions?
Explanation: An instance profile links an identity role to a running instance for secure access to resources. The operating system, CPU, and network settings are chosen elsewhere and not handled by instance profiles.
Why might a compute service need a dedicated service role with specific permissions?
Explanation: Service roles enable systems to perform actions securely without embedded credentials. Encryption is managed through separate features. Adjusting memory or affecting billing does not rely on roles.
If you want to grant a function access only to read data from storage, what should you do?
Explanation: Granting only the necessary permissions follows the ‘least privilege’ principle and improves security. Full admin access or extra permissions increase risk, and removing all policies prevents the function from accessing anything.
Why do virtual machines using identity roles receive temporary credentials instead of static access keys?
Explanation: Temporary credentials limit the window for misuse if they’re leaked. Startup times and costs are unrelated to credential length. Static keys don’t provide any region selection capabilities.
A virtual machine needs to retrieve items from a database service. Which step enables this communication securely?
Explanation: Granting suitable permissions via the role enables secure access to the database. IP assignments and restarts are unrelated to permissions, and making the database public exposes sensitive data.
When connecting a serverless function to respond to storage bucket events, what must be in place for secure operation?
Explanation: A permission policy allows the function to read or process bucket events securely. Local credential files and outbound traffic controls don’t handle access, and requiring manual invocation defeats automation.
What should you do after identifying that an identity role attached to an instance has unused write permissions to storage?
Explanation: Removing extra permissions reduces risk by adhering to security best practices. Duplicating roles doesn’t address the issue, and ignoring the problem accepts unnecessary risk. Operating system reboots are unrelated to role configuration changes.