Answer-first summary for fast verification
Answer: Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy.
The correct answer is B: Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy. The roles/logging.privateLogViewer role provides access to both Admin Activity and Data Access logs. Hence, it eliminates the need to export logs to Cloud Storage for review. Additionally, it includes permissions necessary to access Log Explorer, making it more efficient and practical for the auditor.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are tasked with granting access permissions to an external auditor who needs to perform a review of your Google Cloud Platform (GCP) infrastructure. Specifically, the auditor requires access to two types of logs: the Audit Logs that record administrative activities and the Data Access logs that capture data read/write operations. Which Cloud Identity and Access Management (Cloud IAM) role should you assign to the auditor to enable them to review both of these log types?
A
Assign the auditor the IAM role roles/logging.privateLogViewer. Perform the export of logs to Cloud Storage.
B
Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy.
C
Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Perform the export of logs to Cloud Storage.
D
Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Direct the auditor to also review the logs for changes to Cloud IAM policy.
No comments yet.