Topic 1 Question 171
2 つ選択You have created an OS image that is hardened per your organization's security standards and is being stored in a project managed by the security team. As a Google Cloud administrator, you need to make sure all VMs in your Google Cloud organization can only use that specific OS image while minimizing operational overhead. What should you do?
Grant users the compute.imageUser role in their own projects.
Grant users the compute.imageUser role in the OS image project.
Store the image in every project that is spun up in your organization.
Set up an image access organization policy constraint, and list the security team managed project in the project's allow list.
Remove VM instance creation permission from users of the projects, and only allow you and your team to create VM instances.
ユーザの投票
コメント(6)
- 正解だと思う選択肢: BD
BD is the answer.
https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- constraints/compute.trustedImageProjects This list constraint defines the set of projects that can be used for image storage and disk instantiation for Compute Engine. If this constraint is active, only images from trusted projects will be allowed as the source for boot disks for new instances.
👍 5zellck2022/09/27 I think it should be BD instead of AD. Users should have access to the project where the secured image is stored which is "Security Team's project". Users will obviously need permission to create VM in their own project but to use image from another project, they need "imageUser" permission on that project.
👍 3Baburao2022/09/03- 正解だと思う選択肢: AD
the compute.imageUser is a Permission to list and read images without having other permissions on the image. Granting this role at the project level gives users the ability to list all images in the project and create resources, such as instances and persistent disks, based on images in the project. https://cloud.google.com/compute/docs/access/iam#compute.imageUser
👍 3GHOST19852022/09/15
シャッフルモード