Practice Test 2 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test
What is the best practice for separating responsibilities and access for production and development environments?
A. Separate project for each environment, each team only has access to their project.
B. Separate project for each environment, both teams have access to both projects.
C. Both environments use the same project, but different VPC’s.
D. Both environments use the same project, just note which resources are in use by which group.
Correct Answer A
Explanation
A (Correct answer) – Separate project for each environment, each team only has access to their project.
For least privilege and separation of duties, the best practice is to separate both environments into different projects, development or production team gets their own accounts, and each team is assigned to only their projects.
The best practices:
· You should not use same account for both Development and production environments regardless how do you create projects inside that account for different environments. You should use different account for each environment which associated with different group of users. You should use project to isolate user access to resource not to manage users.
· Using a shared VPC allows each team to individually manage their own application resources, while enabling each application to communicate between each other securely over RFC1918 address space. So VPC’s isolate resources but not user/service accounts.
B, C, and D are incorrect
Answer B is the scenario that use same account for both development and production environments attempting to isolate user access with different projects
Answer C is the scenario that use same account for both development and production environments with same project attempting to isolate user access with network separation.
Answer D is the scenario that use same account for both development and production environments with same project attempting to isolate user access with user group at resource level.
You may grant roles to group of users to set policies at organization level, project level, or (in some cases) the resource (e.g., existing Cloud Storage and BigQuery ACL systems as well as and Pub/Sub topics) level.
The best practice: Set policies at the Organization level and at the Project level rather than at the resource level. This is because as new resources get added, you may want them to automatically inherit policies from their parent resource. For example, as new Virtual Machines gets added to the project through auto scaling, they automatically inherit the policy on the project. https://cloud.google.com/iam/docs/resource-hierarchy-access-control#best_practices
Additional Resources:
To recap: IAM lets you control who (users) has what access (roles) to which resources by setting IAM policies. IAM policies grant specific role(s) to a user giving the user certain permissions.
Using Resource Hierarchy for Access Control
Comments are closed, but trackbacks and pingbacks are open.