Bird
Raised Fist0
GCPcloud~20 mins

Least privilege principle in GCP - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
๐ŸŽ–๏ธ
Least Privilege Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
๐Ÿง  Conceptual
intermediate
2:00remaining
Understanding Least Privilege Principle in GCP IAM

Which of the following best describes the least privilege principle when assigning IAM roles in Google Cloud Platform?

AGrant users only the permissions they need to perform their tasks and no more.
BGrant users all permissions to avoid access issues and simplify management.
CAssign roles based on the user's seniority rather than their job function.
DGive users broad permissions initially and reduce them later if problems arise.
Attempts:
2 left
๐Ÿ’ก Hint

Think about security risks of giving too many permissions.

โ“ Architecture
intermediate
2:00remaining
Designing IAM Roles for a Multi-Team GCP Project

You have three teams: Developers, QA, and Operations. Each team needs access to different GCP resources. How should you apply the least privilege principle when assigning IAM roles?

ACreate custom roles with only the necessary permissions for each team and assign those roles accordingly.
BAssign the Owner role to all teams to ensure full access and avoid permission errors.
CAssign the Viewer role to all teams and escalate permissions only when requested.
DUse predefined roles like Editor for all teams since they cover most permissions.
Attempts:
2 left
๐Ÿ’ก Hint

Consider how to limit permissions to only what each team needs.

โ“ security
advanced
2:00remaining
Impact of Over-Permissive IAM Roles

What is the most likely security risk if a GCP user is assigned the roles/editor role instead of a more restrictive custom role following the least privilege principle?

AThe user will only have read-only access, limiting their ability to work effectively.
BThe user can accidentally or maliciously modify or delete resources beyond their job scope, increasing risk of data loss or service disruption.
CThe user will be automatically logged out after 5 minutes due to security policies.
DThe user will be unable to perform any tasks because Editor role has no permissions.
Attempts:
2 left
๐Ÿ’ก Hint

Think about what permissions the Editor role grants compared to a minimal role.

โ“ service_behavior
advanced
2:00remaining
Effect of Least Privilege on Automated GCP Service Accounts

An automated service account is used by a deployment pipeline in GCP. Which practice aligns with the least privilege principle to minimize security risks?

AAssign the service account the Owner role to ensure it can deploy anything without errors.
BUse the default Compute Engine service account with all permissions for simplicity.
CAssign the service account only the specific permissions needed to deploy resources it manages, not full project access.
DDisable the service account after each deployment to prevent misuse.
Attempts:
2 left
๐Ÿ’ก Hint

Consider how to limit automated account permissions to only what is necessary.

โœ… Best Practice
expert
3:00remaining
Implementing Least Privilege with GCP IAM Conditions

You want to enforce least privilege by restricting a userโ€™s access to a GCP Storage bucket only during business hours (9 AM to 5 PM). Which IAM feature allows you to implement this restriction?

AManually enable and disable the userโ€™s access each day at 9 AM and 5 PM.
BCreate a custom role without any time restrictions and assign it to the user.
CUse VPC Service Controls to restrict access based on IP address only.
DUse IAM Conditions to add a time-based condition on the userโ€™s role binding for the bucket.
Attempts:
2 left
๐Ÿ’ก Hint

Think about how to automate access restrictions based on time.

Practice

(1/5)
1. What does the least privilege principle mean in cloud security?
easy
A. Grant access based on seniority, not tasks
B. Give all users full access to all resources
C. Allow users to share passwords for easier access
D. Give users only the access they need to do their job

Solution

  1. Step 1: Understand the principle meaning

    Least privilege means limiting access rights to the minimum necessary for tasks.

  2. Step 2: Match the correct description

    Give users only the access they need to do their job correctly states giving only needed access, while others give too much or irrelevant access.

  3. Final Answer:

    Give users only the access they need to do their job -> Option D

  4. Quick Check:

    Least privilege = minimal necessary access [OK]
Hint: Least privilege means minimal access needed only [OK]
Common Mistakes:
  • Thinking least privilege means full access
  • Confusing least privilege with password sharing
  • Assuming access depends on seniority
2. Which of the following is the correct way to assign a role following the least privilege principle in GCP IAM?
easy
A. Assign a predefined role that only allows necessary actions
B. Assign the 'Owner' role to all users for easy management
C. Assign the 'Editor' role to everyone to avoid permission issues
D. Assign no roles and let users request access when needed

Solution

  1. Step 1: Review role assignment options

    Least privilege requires giving only necessary permissions, not broad ones like Owner or Editor.

  2. Step 2: Identify the best practice

    Predefined roles with limited permissions fit least privilege best, so Assign a predefined role that only allows necessary actions is correct.

  3. Final Answer:

    Assign a predefined role that only allows necessary actions -> Option A

  4. Quick Check:

    Least privilege = specific predefined roles [OK]
Hint: Use predefined roles with minimal permissions [OK]
Common Mistakes:
  • Assigning Owner or Editor roles broadly
  • Not using predefined roles
  • Giving no roles and causing delays
3. Consider this IAM policy snippet in GCP:
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:alice@example.com"]
    }
  ]
}

What access does Alice have?
medium
A. Full control over storage buckets
B. Can view objects in storage buckets
C. Can edit and delete storage objects
D. No access to storage resources

Solution

  1. Step 1: Identify the role assigned

    The role is 'roles/storage.objectViewer', which allows viewing objects only.

  2. Step 2: Understand permissions of the role

    This role grants read-only access to storage objects, no editing or deleting.

  3. Final Answer:

    Can view objects in storage buckets -> Option B

  4. Quick Check:

    objectViewer = read-only access [OK]
Hint: Viewer roles allow read-only access [OK]
Common Mistakes:
  • Confusing viewer with editor or owner roles
  • Assuming viewer can delete or edit
  • Ignoring the specific role name
4. You assigned the 'roles/editor' role to a service account, but it only needs to read data. What is the best fix to follow the least privilege principle?
medium
A. Keep the 'editor' role since it covers all needs
B. Remove the role and do not assign any role
C. Change the role to 'roles/viewer' or a more specific read-only role
D. Assign the 'owner' role for future flexibility

Solution

  1. Step 1: Identify the problem with current role

    'roles/editor' grants broad permissions beyond reading, violating least privilege.

  2. Step 2: Choose a role with minimal needed permissions

    Assigning 'roles/viewer' or a specific read-only role limits access appropriately.

  3. Final Answer:

    Change the role to 'roles/viewer' or a more specific read-only role -> Option C

  4. Quick Check:

    Least privilege = minimal needed permissions [OK]
Hint: Use read-only roles if only reading is needed [OK]
Common Mistakes:
  • Keeping overly broad roles
  • Removing roles entirely causing access failure
  • Assigning owner role unnecessarily
5. You manage a GCP project with multiple teams. One team needs to deploy apps but should not access billing info. How do you apply the least privilege principle?
hard
A. Assign a custom role with deployment permissions but no billing access
B. Assign 'Project Owner' role to the team for full control
C. Assign the 'Project Editor' role to the team and 'Billing Admin' to a few users
D. Give the team billing account access to avoid deployment delays

Solution

  1. Step 1: Understand team needs and restrictions

    The team needs deployment rights but must not access billing info.

  2. Step 2: Choose role assignment following least privilege

    A custom role with only deployment permissions and no billing access fits best.

  3. Final Answer:

    Assign a custom role with deployment permissions but no billing access -> Option A

  4. Quick Check:

    Least privilege = custom roles for precise access [OK]
Hint: Use custom roles to separate duties precisely [OK]
Common Mistakes:
  • Giving broad roles like Owner or Editor
  • Granting billing access unnecessarily
  • Ignoring custom roles for fine control