ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud DevOps Engineer All Questions

View all questions & answers for the Professional Cloud DevOps Engineer exam
Go to Exam

Exam Professional Cloud DevOps Engineer topic 1 question 124 discussion

Actual exam question from Google's Professional Cloud DevOps Engineer
Question #: 124
Topic #: 1
[All Professional Cloud DevOps Engineer Questions]

Your company’s security team needs to have read-only access to Data Access audit logs in the _Required bucket. You want to provide your security team with the necessary permissions following the principle of least privilege and Google-recommended practices. What should you do?

  • A. Assign the roles/logging.viewer role to each member of the security team.
  • B. Assign the roles/logging.viewer role to a group with all the security team members.
  • C. Assign the roles/logging.privateLogViewer role to each member of the security team.
  • D. Assign the roles/logging.privateLogViewer role to a group with all the security team members.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by ManishKS at Oct. 4, 2023, 7:32 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
alpha_canary
1 year ago
Selected Answer: D
https://cloud.google.com/iam/docs/job-functions/auditing#:~:text=Admin%20Activity%20logs.-,logging.privateLogViewer,privateLogViewer%20role%20gives%20the%20ability%20to%20view%20the%20Data%20Access%20logs.,-Once%20log%20entries
upvoted 2 times
...
ogerber
1 year ago
the question is wrong, the _Required log bucket is exclusively for Admin Activity logs and is not configurable for other types of logs. so B would be good, there is no good answer here.
upvoted 1 times
...
LaxmanTiwari
1 year, 1 month ago
Selected Answer: D
The right one
upvoted 1 times
...
xhilmi
1 year, 2 months ago
Selected Answer: D
The recommended solution is (option D) Assign the roles/logging.privateLogViewer role to a group with all the security team members. This approach follows the principle of least privilege by granting the specific role needed for read-only access to Data Access audit logs. The roles/logging.privateLogViewer role is more restrictive than roles/logging.viewer, providing access only to private logs, such as Data Access audit logs, and aligns with Google-recommended practices for securing sensitive data. By assigning this role to a group with all security team members, you can efficiently manage and update permissions for the entire team, maintaining a centralized and organized approach to access control for the designated logs in the _Required bucket.
upvoted 2 times
...
pharao89
1 year, 3 months ago
Selected Answer: D
D, no brainer, give access to private logs (so also access logs) to the team. Option C is partially correct, you should rather give access to a group than to individual members just to be future-proof.
upvoted 1 times
...
nhiguchi
1 year, 3 months ago
Selected Answer: D
Answer should be D
upvoted 1 times
...
activist
1 year, 4 months ago
https://cloud.google.com/iam/docs/job-functions/auditing The logging.privateLogViewer role gives the ability to view the Data Access logs. { "role": "roles/logging.privateLogViewer", "members": [ "group:[email protected]" ] Answer D seems correct.
upvoted 3 times
...
ManishKS
1 year, 4 months ago
Answer should be D
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel