Challenge - 5 Problems

🎖️

IAM Deny Policy Master

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

2:00remaining

Understanding the effect of an IAM deny policy

In Google Cloud IAM, what happens when a deny policy explicitly denies a permission that a user is also granted by an allow policy?

AThe deny policy overrides the allow policy, so the user is denied the permission.

BThe allow policy overrides the deny policy, so the user is allowed the permission.

CThe user is allowed the permission only if the deny policy is attached to a different resource.

DThe deny policy and allow policy cancel each other out, so the user’s access depends on other policies.

Attempts:

2 left

❓ Configuration

intermediate

2:00remaining

Identifying the correct deny policy syntax

Which of the following JSON snippets correctly defines an IAM deny policy that denies the permission storage.buckets.delete for all users on a Cloud Storage bucket?

{
  "denyRules": [
    {
      "deniedPermissions": ["storage.buckets.delete"]
    }
  ]
}

{
  "bindings": [
    {
      "role": "roles/storage.admin",
      "members": ["allUsers"]
    }
  ]
}

{
  "denyRules": [
    {
      "deniedPermissions": ["storage.buckets.delete"],
      "deniedPrincipals": ["allUsers"]
    }
  ]
}

{
  "denyRules": [
    {
      "deniedPrincipals": ["allUsers"]
    }
  ]
}

Attempts:

2 left

❓ Architecture

advanced

2:30remaining

Designing a deny policy for sensitive operations

You want to prevent all users except a specific admin group from deleting Compute Engine instances in a project. Which deny policy configuration achieves this?

AAllow only the admin group the permission <code>compute.instances.delete</code> and do not create any deny policy.

BDeny all users the permission <code>compute.instances.delete</code> except the admin group by specifying <code>deniedPrincipals</code> as <code>allUsers</code> and excluding the admin group.

CCreate a deny policy denying <code>compute.instances.delete</code> for <code>allUsers</code> and then create an allow policy granting the admin group the same permission.

DCreate a deny policy denying <code>compute.instances.delete</code> for <code>allUsers</code> except the admin group by specifying <code>deniedPrincipals</code> as <code>allUsers</code> and adding the admin group to <code>exceptionPrincipals</code>.

Attempts:

2 left

❓ service_behavior

advanced

2:00remaining

Effect of deny policies on inherited permissions

If a deny policy is set on a folder denying resourcemanager.projects.delete, what happens when a user tries to delete a project inside that folder, even if the project’s IAM policy allows it?

AThe user is denied deleting the project only if the deny policy is also set on the project itself.

BThe user is denied deleting the project because deny policies on parent resources apply to child resources.

CThe user can delete the project only if they have the Owner role on the project.

DThe user can delete the project because the project’s IAM policy overrides the folder’s deny policy.

Attempts:

2 left

❓ security

expert

2:30remaining

Analyzing a deny policy conflict scenario

A user is a member of two groups: Group A and Group B. Group A’s allow policy grants storage.objects.create on a bucket. Group B’s deny policy denies storage.objects.create on the same bucket. What is the user’s effective permission?

AThe user is denied <code>storage.objects.create</code> because deny policies override allow policies.

BThe user is allowed <code>storage.objects.create</code> because allow policies override deny policies.

CThe user’s permission depends on which group’s policy was applied last.

DThe user is allowed <code>storage.objects.create</code> only if they have an additional role granting it.

Attempts:

2 left