nerdexam
ExamsPROFESSIONAL-CLOUD-DEVOPS-ENGINEERQuestions#93
GoogleGoogle

PROFESSIONAL-CLOUD-DEVOPS-ENGINEER · Question #93

PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #93: Real Exam Question with Answer & Explanation

The correct answer is A: Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service. To ensure Compute Engine instances can write logs and monitoring metrics to Google Cloud services with least privilege, grant their service accounts the logging.logWriter and monitoring.metricWriter roles.

Submitted by saadiq_pk· Apr 18, 2026Implementing service monitoring strategies

Question

You have deployed a fleet of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

Options

  • AGrant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service
  • BGrant the logging.admin and monitoring.editor roles to the Compute Engine service accounts.
  • CGrant the logging.editor and monitoring.metricWriter roles to the Compute Engine service
  • DGrant the logging.logWriter and monitoring.editor roles to the Compute Engine service accounts.

Explanation

To ensure Compute Engine instances can write logs and monitoring metrics to Google Cloud services with least privilege, grant their service accounts the logging.logWriter and monitoring.metricWriter roles.

Common mistakes.

  • B. logging.admin grants full control over logging resources and monitoring.editor grants broad editing permissions for monitoring resources; both are far too permissive for a service account that only needs to write logs and metrics, violating least privilege.
  • C. logging.editor grants permissions to modify logging resources, which is too broad for simply writing logs. While monitoring.metricWriter is correct, pairing it with logging.editor violates least privilege.
  • D. logging.logWriter is correct for writing logs. However, monitoring.editor grants permissions to modify monitoring resources, which is too broad; the service account only needs to write metrics, not edit dashboards or alerts, violating least privilege.

Concept tested. IAM roles for Cloud Logging/Monitoring write access

Reference. https://cloud.google.com/logging/docs/access-control https://cloud.google.com/monitoring/access-control

Topics

#IAM Roles#Cloud Logging#Cloud Monitoring#Least Privilege

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full PROFESSIONAL-CLOUD-DEVOPS-ENGINEER PracticeBrowse All PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Questions