Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Exam Associate Cloud Engineer topic 1 question 25 discussion

Actual exam question from Google's Associate Cloud Engineer
Question #: 25
Topic #: 1
[All Associate Cloud Engineer Questions]

You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices. What should you do?

  • A. Add the auditors group to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.
  • B. Add the auditors group to two new custom IAM roles.
  • C. Add the auditor user accounts to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.
  • D. Add the auditor user accounts to two new custom IAM roles.
Show Suggested Answer Hide Answer
Suggested Answer: C ūüó≥ÔłŹ
Reference:
https://cloud.google.com/iam/docs/roles-audit-logging

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
coldpar
Highly Voted 3 years ago
Correct is A. As per google best practices it is recommended to use predefined roles and create groups to control access to multiple users with same responsibility
upvoted 66 times
droogie
2 years, 8 months ago
You assume Auditors Group = External Auditors only. Auditors Group may contain both Internal and External Auditors.
upvoted 4 times
robor97
2 years, 3 months ago
The question literally says - External Auditors
upvoted 12 times
...
adeice
1 year, 12 months ago
I can create External group and Internal group Auditors
upvoted 2 times
...
...
...
JavierCorrea
Highly Voted 2 years, 7 months ago
Correct answer is A as per: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors
upvoted 35 times
...
smanoj85
Most Recent 1 day, 4 hours ago
Correct Answer is B By creating a custom IAM role, you can specify the exact permissions that the auditors need, and avoid granting them unnecessary permissions that come with predefined IAM roles. In this case, you can create two custom IAM roles: one for 'logging.viewer' and one for 'bigQuery.dataViewer', and grant the corresponding permissions to each role. Then, you can add the auditors group to these custom roles to give them access to the required logs and data.
upvoted 1 times
...
red_panda
1 day, 23 hours ago
Selected Answer: B
B is correct. Is a best practice to prefer custom role, specially for external users.
upvoted 1 times
...
asallo
1 week, 1 day ago
A is the most appropriate Answer
upvoted 1 times
...
Buruguduystunstugudunstuy
4 weeks, 1 day ago
Selected Answer: B
I would say that Answer A is not the correct answer. While it is true that adding the auditor's group to the 'logging.viewer' and 'bigQuery.dataViewer' roles would allow them to view the logs and data in BigQuery, it does not enable IAM access audit logging. The correct answer is Answer B - Add the auditors group to two new custom IAM roles. You should create custom IAM roles with the necessary permissions to view IAM audit logs in BigQuery and assign those roles to the auditor's group. This follows the Google-recommended practice of using custom roles to grant least privilege access to resources. Answer C is incorrect because you should not add users' accounts to predefined IAM roles like logging.viewer or bigQuery.dataViewer. Predefined roles are meant to provide a general set of permissions for common use cases, and adding users or groups to them may grant them unnecessary access. Answer D is not the best practice as it is better to create separate custom IAM roles for each type of user rather than combining them.
upvoted 2 times
...
Bobbybash
1 month ago
Selected Answer: B
B.... The recommended practice for configuring IAM access audit logging in BigQuery is to create two custom IAM roles for auditors: one with the bigquery.datasets.get permission, and the other with the bigquery.tables.getData permission. You should then add the auditors group to these custom IAM roles. This will allow auditors to view metadata about datasets and access data within tables, while preventing them from performing other operations on the BigQuery resources. Therefore, option B is the correct answer.
upvoted 2 times
...
processor
2 months, 3 weeks ago
Selected Answer: A
Once again, the "correct" answer is wrong. (Regarding google best practices). How could you hope someone gives money to get wrong answers. A is the good one.
upvoted 1 times
jrisl1991
1 month, 3 weeks ago
Honestly, I think some answers are "wrong" on purpose because if they all were right, the website could be taken as a "cheat" instead of help to study. Correct answer is A.
upvoted 1 times
...
...
glanshima
3 months, 1 week ago
Correct A The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. see: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors
upvoted 1 times
...
vijay456
4 months, 3 weeks ago
Selected Answer: A
https://cloud.google.com/iam/docs/job-functions/auditing
upvoted 2 times
...
vijay456
4 months, 3 weeks ago
Selected Answer: C
there is no group created and no option syas create group too, so provided option C is suitable best answer
upvoted 3 times
...
leogor
4 months, 3 weeks ago
A, auditors group
upvoted 1 times
...
PSS387
4 months, 4 weeks ago
Selected Answer: A
Google recommends to group users to allow permissions
upvoted 1 times
...
PKookNN
5 months, 1 week ago
Selected Answer: A
best practices recommend going with group instead of individual users so A is more correct than C
upvoted 2 times
...
Cornholio_LMC
5 months, 3 weeks ago
had this question today
upvoted 1 times
rixson
5 months, 2 weeks ago
what's the answer?
upvoted 1 times
...
...
DjayTest21
5 months, 4 weeks ago
Selected Answer: A
A is correct
upvoted 1 times
...
iadarsh
6 months, 1 week ago
Selected Answer: A
A is Correct Because if you directly add users to the IAM roles, then if any users left the organization then you have to remove the users from multiple places and need to revoke his/her access from multiple places. But, if you put a user into a group then its very easy to manage these type of situations. Now, if any user left then you just need to remove the user from the group and all the access got revoked
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...