To restrict a user to only start and stop Compute Engine instances without permissions to create or delete them, which IAM strategy aligns best with advanced IAM principles?

hard📝 Best Practice Q8 of 15

GCP - Cloud IAM Advanced

AAssign the predefined roles/editor role to the user

BCreate a custom role with only start and stop instance permissions and assign it to the user

CGrant the user the roles/compute.admin role and rely on monitoring

DUse the roles/viewer role and instruct the user to avoid creating or deleting instances

Step-by-Step Solution

Solution:

Step 1: Identify required permissions
The user needs permissions only to start and stop instances, not create or delete.
Step 2: Evaluate IAM roles
Predefined roles like roles/editor or roles/compute.admin grant broader permissions than needed.
Step 3: Choose custom role
Creating a custom role with only the necessary permissions follows the principle of least privilege.
Final Answer:
Create a custom role with only start and stop instance permissions and assign it to the user -> Option B
Quick Check:
Custom roles enable precise permission assignment [OK]

Quick Trick: Use custom roles for least privilege access [OK]

Common Mistakes:

Assigning overly broad predefined roles
Relying on user discipline instead of permissions
Granting admin roles unnecessarily

Master "Cloud IAM Advanced" in GCP

9 interactive learning modes - each teaches the same concept differently

Learn Why Deep Visual Try Challenge Project Recall Time

Want More Practice?

15+ quiz questions · All difficulty levels · Free

Free Signup - Practice All Questions

More GCP Quizzes

To restrict a user to only start and stop Compute Engine instances without permissions to create or delete them, which IAM strategy aligns best with advanced IAM principles?

Step 1: Identify required permissions

Step 2: Evaluate IAM roles

Step 3: Choose custom role

Final Answer:

Quick Check:

Want More Practice?