Bird
0
0

Given this deny policy snippet:

medium📝 service behavior Q13 of 15
GCP - Cloud IAM Advanced
Given this deny policy snippet:
{"denyRules": [{"deniedPermissions": ["compute.instances.start"]}]}

What happens if a user has an allow policy for compute.instances.start but this deny policy is applied?
AThe user can start instances because allow policies override deny policies
BThe deny policy has no effect unless combined with a condition
CThe user can start instances only during business hours
DThe user cannot start instances because deny policies block the permission
Step-by-Step Solution
Solution:

  1. Step 1: Understand deny policy precedence and apply to the example

    Deny policies always override allow policies for the specified permissions. Even if the user has an allow for starting instances, the deny rule blocks it.

  2. Final Answer:

    The user cannot start instances because deny policies block the permission -> Option D

  3. Quick Check:

    Deny overrides allow for blocked permissions [OK]
Quick Trick: Deny always beats allow for the same permission [OK]
Common Mistakes:
  • Thinking allow policies override deny policies
  • Assuming deny policies need conditions to work
  • Believing deny policies only log actions

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions
More GCP Quizzes
Cloud Firestore and Bigtable - Bigtable for time-series data - Quiz 2easy Cloud Functions - Cloud Functions generations (1st vs 2nd) - Quiz 2easy Cloud IAM Advanced - VPC Service Controls - Quiz 6medium Cloud IAM Advanced - Audit logging - Quiz 14medium Cloud Monitoring and Logging - Log Explorer and queries - Quiz 11easy Cloud Pub/Sub - Pull vs push subscriptions - Quiz 12easy Cloud Run - Cloud Run jobs for batch work - Quiz 10hard Cloud Run - Deploying container images - Quiz 11easy Cloud SQL and Databases - Backup and restore - Quiz 11easy Cloud SQL and Databases - Why managed databases matter - Quiz 1easy