PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #84: Real Exam Question with Answer & Explanation

Question

Your organization stores all application logs from multiple Google Cloud projects in a central Cloud Logging project. Your security team wants to enforce a rule that each project team can only view their respective logs and only the operations team can view all the logs. You need to design a solution that meets the security team s requirements while minimizing costs. What should you do?

Options

• AGrant each project team access to the project _Default view in the central logging project. Grant
• BCreate Identity and Access Management (IAM) roles for each project team and restrict access to
• CCreate log views for each project team and only show each project team their application logs.
• DExport logs to BigQuery tables for each project team. Grant project teams access to their tables.

Explanation

To provide granular access to logs in a central Cloud Logging project, create log views for each project team to display only their logs, while granting the operations team access to all logs, minimizing costs.

Common mistakes.

• A. Granting each project team access to the project _Default view in the central logging project would give all teams access to all logs in that view, violating the requirement that each team can only view their respective logs.
• B. Creating IAM roles without specific log views would be too broad; IAM roles typically apply at the project or bucket level, not at the granular log entry level required to differentiate project-specific logs for different teams.
• D. Exporting logs to separate BigQuery tables for each project team would incur additional BigQuery storage and potentially export costs, and does not directly leverage Cloud Logging's built-in access control for views, thus not minimizing costs.

Concept tested. Cloud Logging log views for granular access control

Reference. https://cloud.google.com/logging/docs/views

No community discussion yet for this question.