Your organization is implementing separation of duties in a Google Cloud project. A group of developers must deploy new code, but cannot have permission to change network firewall rules. What should you do?
A.
Assign the network administrator IAM role to all developers. Tell developers not to change firewall settings.
B.
Use Access Context Manager to create conditions that allow only authorized administrators to change firewall rules based on attributes such as IP address or device security posture.
C.
Create and assign two custom IAM roles. Assign the deployer role to control Compute Engine and deployment-related permissions. Assign the network administrator role to manage firewall permissions.
D.
Grant the editor IAM role to the developer group. Explicitly negate any firewall modification permissions by using IAM deny policies.
C. Is the correct answer, however i'd like to add that the permissions relate to firewall rules must be assign to a different group. Option D, leave open other wide permissions
D. is the most robust and explicit solution for enforcing separation of duties. While granting the Editor role is overly permissive, pairing it with an IAM Deny policy creates an unbreakable security guardrail that explicitly blocks firewall modification permissions, overriding any and all allow policies that might be granted.
A is incorrect because it relies on trust ("telling them not to") instead of an enforced technical control, which is a major security anti-pattern.
B is incorrect because it uses the wrong tool; Access Context Manager controls where access comes from (e.g., corporate IP), not what actions a user is permitted to perform.
C is incorrect because while creating custom roles is a good practice, it doesn't offer the same unbreakable guarantee as an IAM Deny policy, which would override any accidental "allow" permissions a developer might inherit from other roles.
C - Custom Roles: Creating custom IAM roles allows you to define granular permissions, ensuring that developers only have the necessary access to deploy new code.
Separation of Duties: By assigning the deployer role to control Compute Engine and deployment-related permissions, while assigning the network administrator role to manage firewall permissions, you effectively enforce separation of duties. This reduces the risk of unauthorized access or malicious activities.
Granular Control: Custom roles provide more granular control over permissions compared to pre-defined roles, allowing you to tailor access to specific tasks.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
f983100
3 days, 3 hours agon2183712847
3 months, 1 week agojson4u
1 year, 1 month agoabdelrahman89
1 year, 1 month ago