Exam Professional Cloud DevOps Engineer topic 1 question 124 discussion

https://cloud.google.com/iam/docs/job-functions/auditing#:~:text=Admin%20Activity%20logs.-,logging.privateLogViewer,privateLogViewer%20role%20gives%20the%20ability%20to%20view%20the%20Data%20Access%20logs.,-Once%20log%20entries

the question is wrong, the _Required log bucket is exclusively for Admin Activity logs and is not configurable for other types of logs. so B would be good, there is no good answer here.

The right one

The recommended solution is (option D) Assign the roles/logging.privateLogViewer role to a group with all the security team members. This approach follows the principle of least privilege by granting the specific role needed for read-only access to Data Access audit logs. The roles/logging.privateLogViewer role is more restrictive than roles/logging.viewer, providing access only to private logs, such as Data Access audit logs, and aligns with Google-recommended practices for securing sensitive data. By assigning this role to a group with all security team members, you can efficiently manage and update permissions for the entire team, maintaining a centralized and organized approach to access control for the designated logs in the _Required bucket.

D, no brainer, give access to private logs (so also access logs) to the team. Option C is partially correct, you should rather give access to a group than to individual members just to be future-proof.

Answer should be D

https://cloud.google.com/iam/docs/job-functions/auditing The logging.privateLogViewer role gives the ability to view the Data Access logs. { "role": "roles/logging.privateLogViewer", "members": [ "group:[email protected]" ] Answer D seems correct.

Answer should be D