Skip to main content
Cert DevPro
  1. Home
  2. >
  3. GCP
  4. >
  5. ACE
  6. >
  7. This article

GCP ACE Drill: IAM & Resource Access Control - The Operational Cost vs Security Trade-off

·654 words·4 mins·
Architecture Drills Google Cloud Platform GCP-ACE GCP FinOps SRE IAM
Jeff Taakey
Author
Jeff Taakey
21+ Year Enterprise Architect | Multi-Cloud Architect & Strategist.
Jeff's Architecture Insights
Go beyond static exam dumps. Jeff’s Insights is engineered to cultivate the mindset of a Production-Ready Architect. We move past ‘correct answers’ to dissect the strategic trade-offs and multi-cloud patterns required to balance reliability, security, and TCO in mission-critical environments.
Table of Contents

While preparing for the GCP Associate Cloud Engineer (ACE) exam, many candidates get confused by Identity and Access Management (IAM) best practices. In the real world, this is fundamentally a decision about balancing operational simplicity vs strict access segmentation using Google Cloud’s Resource Manager hierarchy and IAM primitives. Let’s drill into a simulated scenario.

The Scenario
#

StreamCast Media, a global online media streaming company with multiple departments (e.g., Content Creation, Marketing, Engineering), is migrating their infrastructure to Google Cloud. They want to ensure that only employees with company-issued Google Accounts can access their Google Cloud environment. Additionally, to satisfy compliance requirements, each department must only have access to their own projects and resources — strict compartmentalization by department is mandatory.

The company also wants to minimize ongoing operational costs and effort for managing user access while adhering to Google Cloud recommended strategies.

Key Requirements
#

Securely restrict resource access so that:

  • Only verified company Google Accounts can access cloud resources.
  • Department-level resource access boundaries are enforced.
  • Operational cost and manual overhead is minimized.
  • Google best practices for IAM and Resource Manager organization hierarchy are followed.

The Options
#

  • A) Assign users to the relevant Google Groups, and provide access to cloud resources through Identity And Access Management (IAM) roles. Periodically identify and remove non-company issued Google Accounts.
  • B) Assign users to the relevant Google Groups, and provide access to cloud resources through Identity And Access Management (IAM) roles. Use organization policies to block non-company issued emails.
  • C) Create a folder for each department in Resource Manager. Grant the users of each department the Folder Admin role on the folder of their department.
  • D) Create a folder for each department in Resource Manager. Grant all company users the Folder Admin Role on the organization level.

Correct Answer
#

Option B.

The Architect’s Analysis
#

Correct Answer
#

Option B

Step-by-Step Winning Logic
#

Option B implements a secure, scalable method by controlling access through Google Groups aligned with departmental roles, combined with an organization policy that restricts login to only company-issued Google Accounts. This approach:

  • Leverages IAM groups for fine-grained access without granting excessive permissions.
  • Uses organization policies — a fundamental resource manager control — to enforce login restrictions, dramatically reducing operational overhead of manual auditing/removal.
  • Aligns with Google’s best practices favoring policy-based governance over relying on continual manual user cleanup.
  • Adheres to Principle of Least Privilege by limiting access scope.
  • Minimizes risk and operational toil, which aligns well with SRE focus on low-toil, reliable operations.

The Traps (Distractor Analysis)
#

  • Why not A? Periodic manual audits to remove non-company accounts are error-prone and operationally expensive, violating SRE principles of minimizing toil. Google strongly recommends using org policies to enforce login restrictions.
  • Why not C? Granting users Folder Admin role provides too much privilege and violates least privilege principles. Admin roles on department folders allow users to manage the folder’s metadata and IAM policies, introducing security risks.
  • Why not D? Granting all users Folder Admin at the org level is a critical security risk granting excessive privilege and weakens the resource segmentation model.

The Architect Blueprint
#

Mermaid Diagram illustrating the streamlined access control model:

graph TD User[Company User] -->|Member of| GoogleGroup[Google Group for Dept] GoogleGroup -->|Granted IAM Roles| DeptProject[Department Project] OrgPolicy[Org Policy: Block Non-Company Accounts] --> User style OrgPolicy fill:#4285F4,stroke:#333,color:#fff

Diagram Note: Users authenticate with company-issued Google Accounts enforced by organization policies, with IAM roles assigned to Google Groups granting departmental project access.

Real-World Practitioner Insight
#

Exam Rule
#

For the exam, always pick Organization Policies to enforce company-wide restrictions like login domain filtering. Use Google Groups aligned to the departments for manageable IAM role assignments.

Real World
#

Enterprises often face risks from unmanaged or stale accounts. Relying on manual cleanup is not sustainable at scale. Organization policies offer a cost-effective guardrail. Admin roles at folder or org levels should only be granted sparingly, to avoid privilege creep and operational risk.

Related Articles

GCP Associate Cloud Engineer Drills

Focus on Google Cloud Resource Manager, IAM, and GKE management.