Identity and Access Management (IAM) Mastery Hub: The Indust

In the context of Google Cloud IAM, what is the primary difference between a role and a permission?

tests the fundamental understanding of IAM's hierarchical structure. Option A correctly defines roles as bundles of permissions and permissions as granular actions. Option B reverses the roles of roles and permissions. Option C is incorrect because both roles and permissions can be applied at various levels (organization, folder, project, resource). Option D is incorrect because while many predefined roles exist, custom roles are a critical feature of Google Cloud IAM. Question: A security engineer is designing an IAM policy for a new application deployed in Google Cloud. The application needs to read data from a Cloud Storage bucket but should not be able to delete or modify objects. Which of the following IAM roles would be the most appropriate and least privileged choice for the service account running the application?

assesses practical application of the principle of least privilege. Option C, `roles/storage.objectViewer`, grants read-only access to objects within a bucket, fulfilling the requirement. Option A, `roles/storage.admin`, is overly permissive and grants full administrative control. Option B, `roles/storage.objectCreator`, allows creating objects but not necessarily viewing them efficiently for read operations. Option D, `roles/storage.legacyBucketOwner`, is a legacy role with broad permissions and should be avoided in favor of more granular, modern roles. Question: When implementing conditional IAM policies in Google Cloud, which of the following conditions is NOT directly supported by the condition builder?