Exam Professional Cloud Security Engineer topic 1 question 115 discussion

Answer = A roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.

You need roles/logging.privateLogViewer to view data access log and Access Transparency logs https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/reading-logs#viewing-logs https://developers.google.com/cloud-search/docs/guides/audit-logging-manual#audit_log_permissions

For access to all logs in the _Required bucket, and access to the _Default view on the _Default bucket, grant the Logs Viewer (roles/logging.viewer) role. For access to all logs in the _Required and _Default buckets, including data access logs, grant the Private Logs Viewer (roles/logging.privateLogViewer) role.

A. since we need the data access logs on top of the others, only private log viewer provides this access/

Answer= A To view all logs in the _Required bucket, and to view logs in the _Default view on the _Default bucket, you must have the Logs Viewer (roles/logging.viewer) role. To view all logs in the _Required and _Default buckets, including data access logs, you must have the Private Logs Viewer (roles/logging.privateLogViewer) role.

D. roles/logging.viewer The security operations team should be granted the roles/logging.viewer IAM role. This role provides the necessary permissions to view logs within the organization's projects, and it aligns with the least privilege principle as it grants only view access to logs.

A is the ans

D is the answer: The security operations team needs to have access to specific logs across all projects in their organization while following the least privilege model. The appropriate IAM role to grant them would be roles/logging.viewer. This role provides read-only access to all logs in the project, including Admin Activity logs, Data Access logs, and Access Transparency logs. It does not provide access to any other resources in the project, such as compute instances or storage buckets. This ensures that the security operations team can only view the logs and cannot make any modifications to the resources.

A is the answer.

A. roles/logging.privateLogViewer

A is the answer. https://cloud.google.com/logging/docs/access-control#considerations roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.

roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket. https://cloud.google.com/logging/docs/access-control

I think the correct answer is A. logging.admin is too broad a permission. We need to give "only view access to logs". And we need to: ✑ Have access to Admin Activity logs. ✑ Have access to Data Access logs. ✑ Have access to Access Transparency logs. Only the roles/logging.privateLogViewer role has all these permissions. Private Logs Viewer (roles/logging.privateLogViewer) Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Lowest-level resources where you can grant this role: Project After you've configured Access Transparency for your Google Cloud organization, you can set controls for who can access the Access Transparency logs by assigning a user or group the Private Logs Viewer role. Links for reference: https://cloud.google.com/logging/docs/access-control https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/reading-logs?hl=en