Your company uses a large number of Google Cloud services centralized in a single project.
All teams have specific projects for testing and development.
The DevOps team needs access to all of the production services in order to perform their job.
You want to prevent Google Cloud product changes from broadening their permissions in the future.
You want to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer is C. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the production project.
Explanation: In this scenario, we need to give DevOps team access to all production services to perform their job. At the same time, we want to prevent any accidental or unauthorized access to services outside of their scope.
Option A is not recommended as granting the role of Project Editor on the organization level would give the DevOps team access to all projects within the organization, including development and testing projects. This will create a security risk and violate the principle of least privilege.
Option B is not optimal as it would grant the DevOps team full permissions on the production project. If there is any change in the future to any of the Google Cloud products, this may result in broadened permissions that may not be necessary for the DevOps team.
Option C is the recommended option as it allows us to create a custom role that combines the specific permissions required for the DevOps team. We can then grant the custom role to the DevOps team on the production project, ensuring that they only have the required level of access.
Option D is not recommended as granting the custom role on the organization level would give the DevOps team access to all projects within the organization, including development and testing projects. This will create a security risk and violate the principle of least privilege.
In summary, option C is the best approach as it allows us to create a custom role that meets the specific needs of the DevOps team and only grant access to the production project, reducing the risk of any accidental or unauthorized access to other services.