Cloud IAM Overview

Questions and Answers

What does IAM primarily help manage?

User privileges and resource access (correct)

Code deployment

Network security

Data storage

The organization resource represents an individual user.

False

What is one example of a role that can be assigned in IAM?

Compute Viewer

IAM includes members, roles, and ________ accounts.

service

Match the following IAM components with their descriptions:

Organization = Root node of the hierarchy Folders = Groups projects for better management Projects = Contain resources Resources = Specific services like Storage or Compute Engine

Which statement best describes the IAM resource hierarchy?

Each resource has exactly one parent.

IAM policies define the privileges and actions associated with resources.

True

What is the purpose of policy inheritance in IAM?

To allow child resources to inherit permissions from parent resources.

What role allows a user to create new projects and automatically make them the owner?

Creator

The Admin role has limited control in the organization node.

False

List the three types of IAM roles in Cloud IAM.

Basic, Predefined, Custom

In Cloud IAM, the ______ role provides read-only access to resources.

Viewer

Match each IAM role with its corresponding capability:

Owner = Full administrative access Editor = Modify code and deploy applications Viewer = Read-only access Billing Administrator = Manage billing and add administrators

Which role can delete projects in a Cloud IAM setup?

Deleter

In the folder node, the Creator role can only view the structure of folders.

False

What are the fixed, coarse-grained roles in IAM known as?

Basic roles

What is the role of an Organization Admin in Google Cloud?

Control over all cloud resources and useful for auditing

IAM roles granted at the organization level are not inherited by resources in folders under the organization.

False

What type of user is responsible for assigning the Organization Admin role?

Workspace or Cloud Identity super administrator

The ______ can create projects within the organization if they have the proper role.

Project Creator

Which of the following is NOT a responsibility of the Organization Admin?

Create projects directly

An organization node is the root node for Google Cloud resources.

True

What acts as a trust boundary within a company?

Projects

Match the following roles with their corresponding responsibilities:

Organization Admin = Define IAM policies and audit resources Project Creator = Control creation of projects Super Administrator = Assign roles and manage accounts Organization User = Access resources based on roles

What role would allow a user to start and stop Compute Engine virtual machines?

compute.instanceAdmin

A service account belongs to an individual end user.

False

What is the purpose of a Google Group in Identity and Access Management?

To apply an access policy to a collection of users.

A Google ______ represents a developer, an administrator, or any other person who interacts with Google Cloud.

account

Match the following member types with their descriptions:

Google Account = Represents an individual user Service Account = Represents an application Google Group = A collection of users Google Workspace domain = A domain for Google Workspace users

Which statement is NOT true regarding IAM member identities?

You can use IAM to create or manage your users or groups.

You can create as many service accounts as needed for your application.

True

Name one type of member that can be defined in Identity and Access Management.

Google Account, Service Account, Google Group, Google Workspace domain, or Cloud Identity domain.

What role is automatically granted to the default Compute Engine service account?

Editor

The default Compute Engine service account can only be enabled when a new instance is created using the Google Cloud console.

False

What is the email format for the default Compute Engine service account?

[email protected]

The process of determining permissions for an authenticated identity is known as _____ .

authorization

What does an access token with a read-only scope allow an application to do?

Read data from a Cloud Storage bucket

Match the following applications with their access privileges:

Application A = Read-only access Application B = Read-write access

Scopes can be customized after a VM instance has been created.

True

User-created service accounts should use _____ roles instead of scopes.

IAM

What is the primary purpose of Organization Restrictions in Google Cloud?

To restrict access to resources within a specific Google Cloud organization

The principle of least privilege should be followed when granting roles in Google Cloud.

True

Why is it beneficial to grant roles to Google groups instead of individual users?

It allows for easier management of group membership without changing IAM policies.

The _______ hierarchy helps to group resources that share the same trust boundary.

resource

Match the following roles with their respective needs:

Network Admin Group = Group needing read_write role View Only Group = Group needing view_only role Storage Admin Group = Group needing read_write role Viewer Group = Group needing view_only role

Which practice is recommended for auditing IAM policies?

Using Cloud Audit Logs to keep track of policy changes

Groups can be used to enhance control over IAM policies.

True

What should you check on each resource to understand permissions better?

The policy granted and the inheritance of that policy.

Study Notes

Identity and Access Management (IAM) Overview

• IAM is a way to identify who can do what on a resource (e.g., person, group, application).
• Resources can be any Google Cloud service.
• IAM has components like organizations, roles, members, and service accounts.
• Organization Restrictions feature helps control access.
• Best practices are to apply concepts to daily work.

IAM Resource Hierarchy

• Google Cloud resources are hierarchical.
• The Organization node is the root.
• Folders are children of the organization.
• Projects are children of folders.
• Resources are children of projects.

Organization Node

• Root node for Google Cloud resources.
• Organization Admin role controls all cloud resources (useful for auditing).
• Project Creator role controls project creation.

Creating and Managing Organizations

• Created when a Google Workspace or Cloud Identity account creates a Google Cloud Project.
• Workspace or Cloud Identity super administrators assign Organization admins and manage account lifecycles.
• Organization admins define IAM policies and resource hierarchy, delegating responsibility.

Folders

• Additional grouping and isolation boundary between projects.
• Can represent departments, legal entities, or teams.
• Allow delegation of administrative rights.

Resource Manager Roles

• Organization Admin: full control over all resources.
• Organization Viewer: views all resources.
• Folder Admin: full control over folders.
• Folder Creator: manages folder creation.
• Folder Viewer: views folders and resources below a resource.
• Project Creator: creates new projects (automatic owner).
• Project Deleter: deletes projects.

IAM Roles (Types)

• Basic roles (Owner, Editor, Viewer).
• Predefined roles (specific Google Cloud services).
• Custom roles (define precise permissions).

IAM Basic Roles

• Owner: full administrative access (adding, removing members, deleting projects).
• Editor: modify and delete access (deploying applications, configuring resources).
• Viewer: read-only access.

IAM Predefined Roles

• GCP services provide sets of predefined roles for granular access to specific resources.
• These roles are collections of permissions.

IAM Predefined Roles (Example)

• InstanceAdmin role: permissions for managing compute instances.

Compute Engine IAM Roles

• Compute Admin: full control of Compute Engine resources.
• Network Admin: manages networking resources (excluding firewall rules and SSL certificates).
• Storage Admin: manages disks, images, and snapshots.

IAM Custom Roles

• Roles define specific permission sets.
• Example: "Instance Operator" role for starting and stopping virtual machines.

IAM Members (Types)

• Google Accounts (developers, admins).
• Service Accounts (accounts for applications).
• Google Groups (collections of accounts).
• Google Workspace domains.
• Cloud Identity domains.

IAM Allow Policies

• Grants access to Google Cloud resources.
• Controls access to the resources and their descendants.
• Binds, or associates, principals (or identities) to a single IAM role.

IAM Deny Policies

• Prevent principals from using specific permissions, regardless of their roles.
• Specifies principals, permissions, and (optional) conditions for denial.

IAM Conditions

• Allow defining attribute-based access control using conditions in role bindings.
• Conditions are expressed as logic statements.

Organization Policies

• Configurations of restrictions defined by constraints.
• Applied to organizations, folders, or projects.
• Inherited by children resources.

Single Sign-On (SSO)

• Configured using Cloud Identity.
• Third-party solutions if SAML2 isn't supported (ADFS, Ping, Okta).

Service Accounts

• Provide identity for service-to-service interactions.
• Used for applications or programs running within Compute Engine instances.
• Service accounts have unique email addresses.
• Types include user-created, built-in, and Google APIs service accounts.

Service Account Keys

• Google-managed vs User-managed keys
• Google manages keys for default service accounts.
• User manages keys, responsible for security and rotation.

Identity-Aware Proxy (IAP)

• Central authorization layer for HTTPS-accessed applications.
• Enforces policies based on identity.
• Provides access controls for applications without VPNs.

Description

This quiz covers the fundamentals of Identity and Access Management (IAM) in cloud environments, focusing on roles, policies, and resource management. It includes questions on role assignments, resource hierarchy, and the purpose of policy inheritance. Perfect for those looking to understand IAM in detail.