You want to implement least privilege access for developers. Which IAM practice should you follow?

  1. Grant broad Editor role to all developers
  2. Grant custom roles with minimal required permissions ✓
  3. Use service accounts without roles
  4. Grant Viewer role and rely on groups

Correct answer: Grant custom roles with minimal required permissions

Option B is correct because creating custom IAM roles that include only the exact permissions developers need enforces least privilege, minimizing the blast radius of a compromised or misconfigured account. Option A is wrong because the primitive Editor role grants broad write access across nearly all GCP services, violating least privilege and exposing far more resources than developers typically require. Option C is wrong because service accounts without any roles have no permissions and cannot perform any actions, which defeats the purpose of granting access at all. Option D is wrong because the Viewer role grants read-only access and relying solely on group membership does not address granting the specific write permissions developers need to do their work.

Topic: · iam, least privilege, custom roles, gcp security

Practice Google Cloud Professional Cloud Architect Questions Free