An administrator needs to grant a network team the ability to create and manage firewall rules, but not delete VPC networks. Which IAM role should be assigned?
Allows managing firewall rules without network deletion.
Why this answer
The roles/compute.securityAdmin role grants permissions to create, modify, and delete firewall rules and SSL certificates, but explicitly excludes permissions to delete VPC networks or modify their configurations. This aligns exactly with the requirement to manage firewall rules without being able to delete VPC networks.
Exam trap
Cisco often tests the distinction between networkAdmin and securityAdmin, where candidates mistakenly choose networkAdmin thinking it covers firewall rules, but it actually grants broader VPC management permissions including deletion.
How to eliminate wrong answers
Option A is wrong because roles/compute.networkAdmin provides full control over VPC networks, including the ability to delete them, which exceeds the required scope. Option C is wrong because roles/compute.viewer only allows read-only access to compute resources, with no permissions to create or manage firewall rules. Option D is wrong because roles/compute.admin grants full administrative access to all compute resources, including the ability to delete VPC networks, which violates the restriction.