Exam Associate Cloud Engineer topic 1 question 25 discussion

Correct is A. As per google best practices it is recommended to use predefined roles and create groups to control access to multiple users with same responsibility

Correct answer is A as per: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

Correct Answer is B By creating a custom IAM role, you can specify the exact permissions that the auditors need, and avoid granting them unnecessary permissions that come with predefined IAM roles. In this case, you can create two custom IAM roles: one for 'logging.viewer' and one for 'bigQuery.dataViewer', and grant the corresponding permissions to each role. Then, you can add the auditors group to these custom roles to give them access to the required logs and data.

B is correct. Is a best practice to prefer custom role, specially for external users.

A is the most appropriate Answer

I would say that Answer A is not the correct answer. While it is true that adding the auditor's group to the 'logging.viewer' and 'bigQuery.dataViewer' roles would allow them to view the logs and data in BigQuery, it does not enable IAM access audit logging. The correct answer is Answer B - Add the auditors group to two new custom IAM roles. You should create custom IAM roles with the necessary permissions to view IAM audit logs in BigQuery and assign those roles to the auditor's group. This follows the Google-recommended practice of using custom roles to grant least privilege access to resources. Answer C is incorrect because you should not add users' accounts to predefined IAM roles like logging.viewer or bigQuery.dataViewer. Predefined roles are meant to provide a general set of permissions for common use cases, and adding users or groups to them may grant them unnecessary access. Answer D is not the best practice as it is better to create separate custom IAM roles for each type of user rather than combining them.

B.... The recommended practice for configuring IAM access audit logging in BigQuery is to create two custom IAM roles for auditors: one with the bigquery.datasets.get permission, and the other with the bigquery.tables.getData permission. You should then add the auditors group to these custom IAM roles. This will allow auditors to view metadata about datasets and access data within tables, while preventing them from performing other operations on the BigQuery resources. Therefore, option B is the correct answer.

Once again, the "correct" answer is wrong. (Regarding google best practices). How could you hope someone gives money to get wrong answers. A is the good one.

Correct A The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. see: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

https://cloud.google.com/iam/docs/job-functions/auditing

there is no group created and no option syas create group too, so provided option C is suitable best answer

A, auditors group

Google recommends to group users to allow permissions

best practices recommend going with group instead of individual users so A is more correct than C

had this question today

A is correct

A is Correct Because if you directly add users to the IAM roles, then if any users left the organization then you have to remove the users from multiple places and need to revoke his/her access from multiple places. But, if you put a user into a group then its very easy to manage these type of situations. Now, if any user left then you just need to remove the user from the group and all the access got revoked