You have a Google Cloud project with multiple users. Which IAM role assignment best follows the least privilege principle?
Think about giving users only the permissions they need to do their job.
The 'Viewer' role grants read-only access, which is the minimum needed for users who only need to see resources. Assigning broader roles like 'Owner' or 'Editor' gives unnecessary permissions, violating least privilege.
You want to protect your Google Cloud VM instances from unauthorized internet access. Which setup provides the best security?
Think about how to keep VMs unreachable from the internet but still allow them to access the internet if needed.
Placing VMs in a private subnet without external IPs prevents inbound internet traffic. Using Cloud NAT allows outbound internet access securely. Other options expose VMs to the internet or lack firewall protection.
Which of the following Cloud Storage bucket IAM policies will publicly expose the bucket contents?
Look for the member that allows anyone on the internet access.
The member 'allUsers' means anyone on the internet can view objects in the bucket, making it public. Other members restrict access to specific users or service accounts.
You rotate a Cloud KMS key used to encrypt data in Cloud Storage. What happens to the data encrypted with the old key version?
Think about how key versions work in encryption.
Cloud KMS keeps old key versions active for decryption. Rotating a key creates a new version for encryption, but old data remains decryptable with previous versions.
You enable VPC Service Controls around your Google Cloud project. Which of the following is a direct effect of this action?
Consider what VPC Service Controls are designed to protect against.
VPC Service Controls create a security perimeter that restricts access to Google Cloud services, preventing data from being accessed or moved outside the perimeter, thus reducing data exfiltration risks.