Which of the following best explains why using very broad IAM roles (like Owner) for all users is a bad practice?
Think about what happens if someone has more access than they really need.
Broad roles give users more permissions than necessary, increasing the chance of mistakes or misuse. Principle of least privilege helps reduce this risk.
Which IAM configuration below creates the highest security risk in a Google Cloud project?
Consider the principle of least privilege and what each role allows.
Giving Owner role to someone who only needs to read logs grants far more permissions than necessary, increasing risk.
You have three teams: Developers, QA, and Operations. Developers need to deploy apps, QA needs to run tests but not deploy, and Operations needs to manage infrastructure but not code. Which IAM setup best fits these needs?
Think about giving only the permissions each team needs.
Custom roles allow precise permission assignment matching each team's responsibilities, improving security and efficiency.
What is a likely outcome if a service account used by an app has the 'roles/storage.admin' role instead of a more limited role?
Consider what 'storage.admin' allows compared to limited roles.
'roles/storage.admin' grants full control over storage resources, so if the app or its credentials are compromised, an attacker can cause serious damage.
You want to allow a user to start Compute Engine instances only during business hours (9am-5pm). Which IAM feature should you use to enforce this?
Think about how to limit permissions based on time.
IAM Conditions allow you to add rules like time-based restrictions to roles, enforcing least privilege dynamically.