Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam Associate Cloud Engineer topic 1 question 25 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 25
Topic #: 1
[All Associate Cloud Engineer Questions]

You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices. What should you do?

  • A. Add the auditors group to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.
  • B. Add the auditors group to two new custom IAM roles.
  • C. Add the auditor user accounts to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.
  • D. Add the auditor user accounts to two new custom IAM roles.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Reference:
https://cloud.google.com/iam/docs/roles-audit-logging

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
coldpar
Highly Voted 4 years ago
Correct is A. As per google best practices it is recommended to use predefined roles and create groups to control access to multiple users with same responsibility
upvoted 76 times
droogie
3 years, 8 months ago
You assume Auditors Group = External Auditors only. Auditors Group may contain both Internal and External Auditors.
upvoted 5 times
robor97
3 years, 3 months ago
The question literally says - External Auditors
upvoted 14 times
...
adeice
3 years ago
I can create External group and Internal group Auditors
upvoted 2 times
...
...
...
JavierCorrea
Highly Voted 3 years, 8 months ago
Correct answer is A as per: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors
upvoted 44 times
ArtistS
5 months, 1 week ago
very useful The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application
upvoted 1 times
...
...
sinh
Most Recent 2 months, 1 week ago
Selected Answer: A
auditors group
upvoted 1 times
...
sinh
3 months ago
Selected Answer:
https://cloud.google.com/iam/docs/job-functions/auditing?hl=ja#scenario_external_auditors
upvoted 1 times
...
thewalker
4 months, 1 week ago
Selected Answer: A
A Create a group with the auditors, grant 'logging.viewer' and 'bigQuery.dataViewer roles to the group on a table / view with the required data.
upvoted 2 times
...
gsmasad
4 months, 4 weeks ago
Selected Answer: A
AS per Google best practices the roles should be assigned to a group & not to individual users
upvoted 2 times
...
ArtistS
5 months, 1 week ago
A is correct. 1st you should know this is a exam. Google recommend xxx means you should choose group first.
upvoted 4 times
...
YourCloudGuru
6 months ago
Selected Answer: A
The correct answer is A. This option follows Google-recommended practices, because it allows you to grant auditors access to view audit logs without granting them access to other resources in your project. The other options are not as good: * Option B is not as good, because it requires you to create two new custom IAM roles. This can be complex and time-consuming. * Option C is not as good, because it grants auditors access to all audit logs in your project, including audit logs for resources that they do not need access to. * Option D is not as good, because it grants auditors access to all data in your BigQuery datasets, including data that they do not need access to.
upvoted 5 times
...
Captain1212
6 months, 4 weeks ago
Selected Answer: A
Google Recommended Practice A is the correct Answer add the users in the group then grant them the access
upvoted 3 times
...
sthapit
7 months, 3 weeks ago
C Option A, which suggests adding the auditors group to predefined roles, might not be as appropriate as using individual auditor user accounts. It's generally a best practice to assign permissions to specific users rather than groups, as it provides better granularity and control over access.
upvoted 1 times
...
ExamsFR
8 months, 1 week ago
Selected Answer: A
Correct answer is A
upvoted 2 times
...
vinodthakur49
8 months, 2 weeks ago
Selected Answer: C
There is no group created already, so C is the right answer.
upvoted 1 times
...
smanoj85
1 year ago
Correct Answer is B By creating a custom IAM role, you can specify the exact permissions that the auditors need, and avoid granting them unnecessary permissions that come with predefined IAM roles. In this case, you can create two custom IAM roles: one for 'logging.viewer' and one for 'bigQuery.dataViewer', and grant the corresponding permissions to each role. Then, you can add the auditors group to these custom roles to give them access to the required logs and data.
upvoted 4 times
smanoj85
1 year ago
Correct Answer is B Option A is incorrect because the logging.viewer and bigQuery.dataViewer roles only grant read access to logs and data in BigQuery, respectively. These roles do not provide audit logging capabilities. Option C is incorrect because it suggests adding individual user accounts to the roles, whereas the question specifically asks for adding an auditors group. In addition, adding individual user accounts can be difficult to manage and does not scale well as the number of auditors increases. It is generally recommended to use groups for managing access whenever possible. Option D suggests adding the auditor user accounts to two new custom IAM roles, which could work. However, the question specifically asks for following Google-recommended practices. The recommended practice is to use predefined roles over custom roles whenever possible. Therefore, option B, which suggests adding the auditors group to two new custom IAM roles, is not recommended.
upvoted 1 times
...
...
red_panda
1 year ago
Selected Answer: B
B is correct. Is a best practice to prefer custom role, specially for external users.
upvoted 3 times
...
asallo
1 year ago
A is the most appropriate Answer
upvoted 1 times
...
Buruguduystunstugudunstuy
1 year, 1 month ago
Selected Answer: B
I would say that Answer A is not the correct answer. While it is true that adding the auditor's group to the 'logging.viewer' and 'bigQuery.dataViewer' roles would allow them to view the logs and data in BigQuery, it does not enable IAM access audit logging. The correct answer is Answer B - Add the auditors group to two new custom IAM roles. You should create custom IAM roles with the necessary permissions to view IAM audit logs in BigQuery and assign those roles to the auditor's group. This follows the Google-recommended practice of using custom roles to grant least privilege access to resources. Answer C is incorrect because you should not add users' accounts to predefined IAM roles like logging.viewer or bigQuery.dataViewer. Predefined roles are meant to provide a general set of permissions for common use cases, and adding users or groups to them may grant them unnecessary access. Answer D is not the best practice as it is better to create separate custom IAM roles for each type of user rather than combining them.
upvoted 3 times
...
Bobbybash
1 year, 1 month ago
Selected Answer: B
B.... The recommended practice for configuring IAM access audit logging in BigQuery is to create two custom IAM roles for auditors: one with the bigquery.datasets.get permission, and the other with the bigquery.tables.getData permission. You should then add the auditors group to these custom IAM roles. This will allow auditors to view metadata about datasets and access data within tables, while preventing them from performing other operations on the BigQuery resources. Therefore, option B is the correct answer.
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...