Google Cloud Professional Cloud Security Engineer Practice Exam

What role should be granted to ensure that all VMs in a Google Cloud organization can only use a specific OS image while minimizing operational overhead?

• A. compute.imageAdmin role in the OS image project
• B. compute.imageViewer role in the OS image project
• C. compute.imageUser role in the OS image project
• D. compute.instanceAdmin role in the OS image project

The correct answer is: compute.imageUser role in the OS image project

The compute.imageUser role is the most suitable choice for ensuring that all Virtual Machines (VMs) in a Google Cloud organization can only use a specific operating system (OS) image while minimizing operational overhead. This role grants the permissions necessary for users to create instances using a specific image. It allows users to deploy VMs based on the designated OS image without providing broader permissions that could lead to operational complexities or configuration drift, as it restricts them to only using the images they are explicitly allowed to access. Using compute.imageAdmin would grant permissions to manage images, including creating and deleting them, which is unnecessary for the scenario described where the aim is to restrict and manage image usage rather than manage the images themselves. Similarly, compute.imageViewer only allows viewing image metadata, not utilizing the image for VM deployment. The compute.instanceAdmin role would provide broader permissions to manage instances but does not focus specifically on restricting the OS images being used, which might lead to users deploying VMs with unsupported or undesired images. Thus, the compute.imageUser role offers the right balance of access, allowing the deployment of instances using the specified OS image while keeping the operational overhead to a minimum. This role effectively enforces security and compliance with organizational standards regarding OS image