GOOGLE CLOUD SECURITY
ESSENTIALS EXAM QUESTIONS WITH
CORRECT ANSWERS
What is a resource? - ANSWER-Everything in GCP, including your projects
What is IAM policy? - ANSWER-A collection of IAM statements within a container. E.G.
If you're assigning IAM roles for a GCP project, then you can write a list of statements
that binds member(s) to a certain role(s). e.g:
Policy:
Member (GOOGLE ACCOUNT + SERVICE ACCOUNT) : Role ( compute .image User)
Member(G suite Domain Account + Google Group: Role(compute.instanceAdmin.v1)
What is policy hierarchy? - ANSWER-Policies are inherited all the way down the chain
like a file system!
So if Bob had the Viewer role at the organization level, he can view everything as the
root!
What is the order of operations when there are conflicting policies between parent and
child? - ANSWER-An overly permissive rule on the parent will overwrite the restrictive
child policy.
A restrictive rule on the parent will overwrite the permissive rule on the child! (Parent
always overrules child?)
If you apply IAM roles to a member on a project, is it organizational wide? - ANSWER-
No, they are confined to the project!
What is the difference between the iam page on a project vs the iam page at the
organization? - ANSWER-The organization allows you to select Billing Account Creator
and Organization Administrator! Resource Manager allows you to add Organization
Viewer, Project Creator, Project Creator, Folder Admin, Folder creator, etc.
How do you give everyone in your organization the ability to create a project? -
ANSWER-Go to organization project, go to IAM,
add members: "solutions.co.com" roles: "project creator".
Note the domain can be any domain! even linuxacademny.com
Where can users be created in Google Cloud platform? - ANSWER-They can't!
,They can be done on GSuite or AD!
Or users(emails) can be invited!
If bob can't see other projects in the org, then what is the problem? - ANSWER-He
doesn't have project view permissions on the organization level so the doesn't have
view permissions on the other projects!
he can see his own project because he has view access on the ones he created
Solution:
1. add project viewer role on the ORGANIZATION level
2. go to the project itself and go to iAM, add the project viewer role or if only certain sub
resources such as subnetwork, then choose that role
If bob can't create compute instances after creating the project and sees a "free trial"
option, what can he do? - ANSWER-He probably does not have a billing account
attached to the project.
He needs to have someone do it for him, or he can ask for billing account creator
permissions.
What are folders? - ANSWER-They allow logical groupings for projects, for example, on
a department by department basis.
Team A has these set of projects
Team B has these, etc.
Where do folders go in the cloud hierarchy? - ANSWER-They lay between organization
and projects! Thus a set of members can inherit a predefined set of roles for multiple
projects (as opposed to applying roles to members on a project by project basis which is
TOIL)
Are folders set in stone? - ANSWER-No! You can move projects between folders!
What happens with permissions when you remove a project from a folder? - ANSWER-
The iam permissions/policies that you set on the folder level are now no longer
applicable because the project is no longer in the folder!
If you're an organizational admin, can you automatically create folders? - ANSWER-No
actually! You need to first give yourself that role.
Why should you not give folder creator levels at organization level? - ANSWER-
You(admin) should be managing the folders at the organizational level!
, If bob wanted to create folders inside his folder, then you need to create the folder at the
organization level for him, and go to IAM within in that folder, and give him folder
creator! You can do this by going to organization iam page and "manage resources"
What is a service account? - ANSWER-An account that belongs to an application or a
VM.
In case a person leaves that company
E.G. tf-sa or ans-sa
What are the default service accounts? - ANSWER-These are automatically created
when you start using specific resources.
What's the functional difference between service account and a user? - ANSWER-
There's no password, managed by keys instead!
When would you choose user managed keys vs google managed keys? - ANSWER-
When you want to generate the keys yourself and use it for your authentication such as
a local backup
What are scopes used for in the context of VMS? - ANSWER-It was the legacy method
to interact with other google cloud services
What's the difference when you run commands in the VM as opposed to locally? -
ANSWER-If you ssh'd to the VM, it will run cloud commands as the service account,
e.g. cloud config list and see that it ran as service account. This is the default interaction
for GCE, where each instance will create a default service account.
What is service account more than just a member? - ANSWER-It is also a resource!
User/Groups can have the serviceAccountUser Role to have permissions to be a
service account!
e.g. you need iam/serviceAccountUser to use terraform as the terraform service
account!
How do you add custom roles? - ANSWER-You need to have organization role
Administrator
How long does deleting a custom role take? - ANSWER-37 days
How do you create a role with fire wall permissions and compute permissions? -
ANSWER-"Create from this role"
add more permissions
ESSENTIALS EXAM QUESTIONS WITH
CORRECT ANSWERS
What is a resource? - ANSWER-Everything in GCP, including your projects
What is IAM policy? - ANSWER-A collection of IAM statements within a container. E.G.
If you're assigning IAM roles for a GCP project, then you can write a list of statements
that binds member(s) to a certain role(s). e.g:
Policy:
Member (GOOGLE ACCOUNT + SERVICE ACCOUNT) : Role ( compute .image User)
Member(G suite Domain Account + Google Group: Role(compute.instanceAdmin.v1)
What is policy hierarchy? - ANSWER-Policies are inherited all the way down the chain
like a file system!
So if Bob had the Viewer role at the organization level, he can view everything as the
root!
What is the order of operations when there are conflicting policies between parent and
child? - ANSWER-An overly permissive rule on the parent will overwrite the restrictive
child policy.
A restrictive rule on the parent will overwrite the permissive rule on the child! (Parent
always overrules child?)
If you apply IAM roles to a member on a project, is it organizational wide? - ANSWER-
No, they are confined to the project!
What is the difference between the iam page on a project vs the iam page at the
organization? - ANSWER-The organization allows you to select Billing Account Creator
and Organization Administrator! Resource Manager allows you to add Organization
Viewer, Project Creator, Project Creator, Folder Admin, Folder creator, etc.
How do you give everyone in your organization the ability to create a project? -
ANSWER-Go to organization project, go to IAM,
add members: "solutions.co.com" roles: "project creator".
Note the domain can be any domain! even linuxacademny.com
Where can users be created in Google Cloud platform? - ANSWER-They can't!
,They can be done on GSuite or AD!
Or users(emails) can be invited!
If bob can't see other projects in the org, then what is the problem? - ANSWER-He
doesn't have project view permissions on the organization level so the doesn't have
view permissions on the other projects!
he can see his own project because he has view access on the ones he created
Solution:
1. add project viewer role on the ORGANIZATION level
2. go to the project itself and go to iAM, add the project viewer role or if only certain sub
resources such as subnetwork, then choose that role
If bob can't create compute instances after creating the project and sees a "free trial"
option, what can he do? - ANSWER-He probably does not have a billing account
attached to the project.
He needs to have someone do it for him, or he can ask for billing account creator
permissions.
What are folders? - ANSWER-They allow logical groupings for projects, for example, on
a department by department basis.
Team A has these set of projects
Team B has these, etc.
Where do folders go in the cloud hierarchy? - ANSWER-They lay between organization
and projects! Thus a set of members can inherit a predefined set of roles for multiple
projects (as opposed to applying roles to members on a project by project basis which is
TOIL)
Are folders set in stone? - ANSWER-No! You can move projects between folders!
What happens with permissions when you remove a project from a folder? - ANSWER-
The iam permissions/policies that you set on the folder level are now no longer
applicable because the project is no longer in the folder!
If you're an organizational admin, can you automatically create folders? - ANSWER-No
actually! You need to first give yourself that role.
Why should you not give folder creator levels at organization level? - ANSWER-
You(admin) should be managing the folders at the organizational level!
, If bob wanted to create folders inside his folder, then you need to create the folder at the
organization level for him, and go to IAM within in that folder, and give him folder
creator! You can do this by going to organization iam page and "manage resources"
What is a service account? - ANSWER-An account that belongs to an application or a
VM.
In case a person leaves that company
E.G. tf-sa or ans-sa
What are the default service accounts? - ANSWER-These are automatically created
when you start using specific resources.
What's the functional difference between service account and a user? - ANSWER-
There's no password, managed by keys instead!
When would you choose user managed keys vs google managed keys? - ANSWER-
When you want to generate the keys yourself and use it for your authentication such as
a local backup
What are scopes used for in the context of VMS? - ANSWER-It was the legacy method
to interact with other google cloud services
What's the difference when you run commands in the VM as opposed to locally? -
ANSWER-If you ssh'd to the VM, it will run cloud commands as the service account,
e.g. cloud config list and see that it ran as service account. This is the default interaction
for GCE, where each instance will create a default service account.
What is service account more than just a member? - ANSWER-It is also a resource!
User/Groups can have the serviceAccountUser Role to have permissions to be a
service account!
e.g. you need iam/serviceAccountUser to use terraform as the terraform service
account!
How do you add custom roles? - ANSWER-You need to have organization role
Administrator
How long does deleting a custom role take? - ANSWER-37 days
How do you create a role with fire wall permissions and compute permissions? -
ANSWER-"Create from this role"
add more permissions
