You need to give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments. What should you do?
A.
Assign each user the editor role.
B.
Assign each user the compute.networkAdmin role.
C.
Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get.
D.
Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.
The correct answer is "D", see this link below.
Permissions required for creating Interconnect VLAN attachment are following:
compute.interconnectAttachments.create
compute.interconnectAttachments.get
compute.routers.create
compute.routers.get
compute.routers.update
https://cloud.google.com/interconnect/docs/how-to/dedicated/creating-vlan-attachments
sc00by is right, it must be B because it has delete permission, see bellow from the console:
gcloud iam roles describe roles/compute.networkAdmin | grep inter
- compute.interconnectAttachments.create
- compute.interconnectAttachments.delete
- compute.interconnectAttachments.get
- compute.interconnectAttachments.list
- compute.interconnectAttachments.setLabels
- compute.interconnectAttachments.update
- compute.interconnectAttachments.use
Editor has broader permissions compared to compute.networkAdmin because Editor can access and modify resources across the entire project, not just networking-related resources. compute.networkAdmin is restricted to network management tasks only.
closest is D, though it lacks the compute.interconnectAttachments.delete permission. but the rest of the permissions adhere to the questions requirement which is provide least privilege only to manage VLAN. Providing network admin would be too broad of a permission and does not adhere to the questions requirement of Least Priv
To give each member of your network operations team least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments, you should give them the following permissions only:
• compute.interconnectAttachments.create
• compute.interconnectAttachments.get
• compute.routers.create
• compute.routers.get
• compute.routers.update
These permissions are the minimum required to create, modify, and delete Cloud Interconnect VLAN attachments.
The other options are incorrect because:
A. Assign each user the editor role. The editor role gives users too much access. It allows them to perform all actions on all resources in a project.
B. Assign each user the compute.networkAdmin role. The compute.networkAdmin role gives users too much access. It allows them to perform all actions on all Compute Engine resources in a project.
C. Give each user the following permissions only: compute.interconnectAttachments.create, compute.interconnectAttachments.get. These permissions are not enough to create, modify, and delete Cloud Interconnect VLAN attachments. They only allow users to create and get Cloud Interconnect VLAN attachments.
C : Assigning each user the permissions compute.interconnectAttachments.create and compute.interconnectAttachments.get ensures that they have the necessary privileges to create, modify, and delete Cloud Interconnect VLAN attachments, while limiting their access to only those specific actions. This approach follows the principle of least privilege, granting users only the permissions required for their tasks without providing unnecessary access to other resources.
Option C is the correct answer.
Explanation:
To provide least-privilege access to create, modify, and delete Cloud Interconnect VLAN attachments, you should give each user the minimum set of permissions required to perform these actions. The compute.interconnectAttachments.create and compute.interconnectAttachments.get permissions are required to create, modify, and delete VLAN attachments.
Option A (editor role) grants too many permissions, including permissions to modify IAM policies and billing settings.
Option B (compute.networkAdmin role) grants permissions to create and manage networks, subnets, routes, VPNs, and firewalls, in addition to Cloud Interconnect VLAN attachments.
Option D grants too many permissions, including permissions to create and modify routers, which are not required to manage VLAN attachments.
B: VLAN attachments (also known as interconnectAttachments) determine which Virtual Private Cloud (VPC) networks can reach your on-premises network through a Dedicated Interconnect connection. You can create VLAN attachments over connections that have passed all tests and are ready to use.
B - compute.networkAdmin had access to create, modify and delete vlans as you can see on link below: compute.interconnectAttachments.*
https://cloud.google.com/compute/docs/access/iam#compute.networkAdmin
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
jonclem
Highly Voted 4 years, 6 months agonikiwi
4 years, 4 months agomozammil89
Highly Voted 5 years, 1 month agosc00by
4 years, 1 month agoJohnnyBG
3 years, 9 months agosaraali
Most Recent 2 months, 2 weeks agoian_gcpca
4 months agoian_gcpca
3 months, 3 weeks agod07d3be
5 months, 2 weeks agothewalker
1 year agothewalker
1 year agodev62
1 year, 2 months agodesertlotus1211
1 year, 2 months agoKyle1776
1 year, 6 months agoananta93
1 year, 8 months agoKomal697
2 years, 1 month agopk349
2 years, 3 months agoAzureDP900
2 years, 5 months agoMMEB
2 years, 6 months agoMr_MIXER007
2 years, 6 months agovladani
3 years, 3 months agokumarp6
3 years, 3 months agoJesusMariaJose
3 years, 5 months ago