How should you configure the auditor’s permissions?

You want to add a new auditor to a Google Cloud Platform project. The auditor should be allowed to read, but not modify, all project items.

How should you configure the auditor’s permissions?
A . Create a custom role with view-only project permissions. Add the user’s account to the custom role.
B . Create a custom role with view-only service permissions. Add the user’s account to the custom role.
C . Select the built-in IAM project Viewer role. Add the user’s account to this role.
D . Select the built-in IAM service Viewer role. Add the user’s account to this role.

Answer: C

Explanation:

Reference: https://cloud.google.com/resource-manager/docs/access-control-proj

The primitive role roles/viewer provides read access to all resources in the project. The permissions in this role are limited to Get and list access for all resources. As we have an out of the box role that exactly fits our requirement, we should use this.

Ref: https://cloud.google.com/resource-manager/docs/access-control-proj

It is advisable to use the existing GCP provided roles over creating custom roles with similar permissions as this becomes a maintenance overhead. If GCP modifies how permissions are handled or adds/removes permissions, the default GCP provided roles are automatically updated by Google whereas if they were custom roles, the responsibility is with us and this adds to the operational overhead and needs to be avoided.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments