Learn how to effectively implement separation of duties in a Google Cloud project by creating and assigning custom IAM roles to developers and network administrators. Ensure that developers can deploy code without having permission to change network firewall rules.
Table of Contents
Question
Your organization is implementing separation of duties in a Google Cloud project. A group of developers must deploy new code, but cannot have permission to change network firewall rules. What should you do?
A. Assign the network administrator IAM role to all developers. Tell developers not to change firewall settings.
B. Use Access Context Manager to create conditions that allow only authorized administrators to change firewall rules based on attributes such as IP address or device security posture.
C. Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
D. Grant the editor IAM role to the developer group. Explicitly negate any firewall modification permissions by using IAM deny policies.
Answer
C. Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
Explanation
To implement separation of duties in a Google Cloud project where developers must deploy new code but cannot change network firewall rules, you should create two custom IAM roles:
- Deployer Role: This custom role should include permissions related to Compute Engine and deployment, such as compute.instances.create, compute.instances.delete, and storage.buckets.get. Assign this role to the group of developers.
- Network Administrator Role: This custom role should include permissions related to managing firewall rules, such as compute.firewalls.create, compute.firewalls.delete, and compute.firewalls.update. Assign this role to the authorized network administrators.
By creating and assigning these custom IAM roles, you ensure that developers have the necessary permissions to deploy code without having access to modify firewall settings. This approach adheres to the principle of least privilege and helps maintain a secure environment in your Google Cloud project.
The other options are not recommended for the following reasons:
- Option A is not secure as it relies on developers following instructions rather than enforcing permissions through IAM.
- Option B uses Access Context Manager, which is more suitable for defining access based on attributes like IP address or device security posture, rather than separating duties between developers and network administrators.
- Option D grants the editor role to developers, which is too broad and then attempts to negate firewall permissions using IAM deny policies. This approach is more complex and error-prone compared to creating custom roles with specific permissions.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.