PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #129: Real Exam Question with Answer & Explanation

Question

Your company's security team needs to have read-only access to Data Access audit logs in the _Required bucket. You want to provide your security team with the necessary permissions following the principle of least privilege and Google-recommended practices. What should you do?

Options

• AAssign the roles/logging.viewer role to each member of the security team.
• BAssign the roles/logging.viewer role to a group with all the security team members.
• CAssign the roles/logging.privateLogViewer role to each member of the security team.
• DAssign the roles/logging.privateLogViewer role to a group with all the security team members.

Explanation

To grant security team members read-only access to Data Access audit logs in the _Required bucket with least privilege, assign the roles/logging.privateLogViewer role to a Google Group containing those members.

Common mistakes.

• A. roles/logging.viewer grants access to all logs except Data Access logs, so it would not fulfill the requirement, and assigning to individual members is less manageable.
• B. roles/logging.viewer grants access to all logs except Data Access logs, so it would not fulfill the requirement, even if assigned to a group.
• C. While roles/logging.privateLogViewer is the correct role, assigning it to each member individually is not the Google-recommended best practice for managing permissions; using a Google Group is preferred for scalability and easier auditing.

Concept tested. IAM for Cloud Logging (Data Access Logs) & Group Management

Reference. https://cloud.google.com/logging/docs/audit/audit-log-roles; https://cloud.google.com/iam/docs/manage-groups

No community discussion yet for this question.