Exam Professional Cloud Network Engineer topic 1 question 108 discussion

I'm not 100% sure for this question. for me, this question is about shared vpc, go to documentation: https://cloud.google.com/vpc/docs/shared-vpc "Implement a security best practice of least privilege for network administration, auditing, and access control. Shared VPC Admins can delegate network administration tasks to Network and Security Admins in the Shared VPC network without allowing Service Project Admins" following this recommendation above, cann't be letter C and D, definitely. So, can be A or B. But question say: "across multiple folders" and "task in the fewest number of steps" If we go to letter A, this configuration cann't be complete with fewest steps, principal if we have 100 folders. In my opinion is letter B, this is a personal opinion.

Correct answer: D "Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC" https://cloud.google.com/vpc/docs/shared-vpc#iam_roles_required_for_shared_vpc

I'll go with B since the responsibility is JUST "setting up multiple host projects across multiple folders and sharing subnets with service projects" and no need for Project IAM Admin role

requirements: 1. setting up multiple host projects across multiple folders and 2. sharing subnets with service projects B, is not enough to provide both requirements (only item 1), would require network admin for 2 but providing IAM admin role (D) would be overkill as it gives too much access to the engineer. Also just giving IAM admin would not resolve the issue since the engineer still needs to grant network admin to self to perform item 2. So if we follow Google Best Practice for least privs. Answer is B

Answer is B, since the Shared VPC Admin referece to both compute.xpnAdmin and resourcemanager.projectIamAdmin.

Shared VPC Admins have the "Compute" Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) Compute Shared VPC Admin: ...... resourcemanager.organizations.get resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.list Project IAM Admin: resourcemanager.projects.get resourcemanager.projects.getIamPolicy resourcemanager.projects.setIamPolicy (which "Compute" Shared VPC Admin doesn't have) So only "Compute" Shared VPC Admin is not enough for this question. I think the answer is D. https://cloud.google.com/vpc/docs/shared-vpc#iam_roles_required_for_shared_vpc

https://cloud.google.com/vpc/docs/shared-vpc#iam_roles_required_for_shared_vp

Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. Put at org level for least # of steps

It is B because Project IAM admin role is already part of Shared VPC Admin role. https://cloud.google.com/vpc/docs/shared-vpc

• B. Set up the engineer with Compute Shared VPC Admin IAM role at the organization ***** level.

correct answer - B, Compute Shared VPC Admin (compute.xpnAdmin) at org level since we need to manage N host projects in diferente folders.

correct answer - B, Compute Shared VPC Admin (compute.xpnAdmin) suffice the requirement

C. Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC, such as enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins. https://cloud.google.com/vpc/docs/shared-vpc

C. Shared VPC Admins have the Compute Shared VPC Admin (compute.xpnAdmin) and Project IAM Admin (resourcemanager.projectIamAdmin) roles for the organization or one or more folders. They perform various tasks necessary to set up Shared VPC, such as enabling host projects, attaching service projects to host projects, and delegating access to some or all of the subnets in Shared VPC networks to Service Project Admins. https://cloud.google.com/vpc/docs/shared-vpc

This is most appropriate role. C. Set up the engineer with Compute Shared VPC Admin IAM role and Project IAM Admin role at the folder level