Google Cloud Professional Cloud Security Engineer Practice Exam

How can you identify all principals who can change firewall rules in Google Cloud?

• A. Review IAM roles associated with the project
• B. Use Policy Analyzer to query specific firewall permissions
• C. Check service accounts linked to Google Cloud APIs
• D. List all users with editor access to the project

The correct answer is: Use Policy Analyzer to query specific firewall permissions

The most effective way to identify all principals who have the ability to change firewall rules in Google Cloud is to use Policy Analyzer to query specific firewall permissions. This tool allows you to assess IAM policies at a granular level, particularly with respect to specific resources or actions, such as changing firewall rules. Using Policy Analyzer, you can determine which roles grant permissions for particular actions related to firewall management. This includes permissions like `compute.firewalls.update` or `compute.firewalls.create`, both of which are essential for modifying firewall rules. By querying these specific permissions, you can accurately identify users, groups, or service accounts that have the capability to alter firewall settings, ensuring that you have a comprehensive understanding of who holds those privileges. While reviewing IAM roles associated with the project can provide insight into what permissions are granted within the project, it does not directly indicate which principals have access to modify firewall rules without additional context on how those roles are assigned. Similarly, checking service accounts linked to Google Cloud APIs and listing users with editor access could yield a broader range of permissions but may not directly target the specific ability to change firewall rules. This lack of focus could lead to oversight regarding specific firewall privileges.