Answer-first summary for fast verification
Answer: Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.
The principle of least privilege requires granting only the permissions that are necessary to perform a task. For monitoring metrics and logs to be visible in Cloud Logging and Cloud Monitoring, the Compute Engine service accounts need permissions to write logs and metrics. The logging.logWriter role provides permissions to write logs, and the monitoring.metricWriter role provides permissions to write metrics. These roles are sufficient for the task without granting additional permissions that could violate the principle of least privilege. Options B, C, and D grant more permissions than necessary (logging.admin, monitoring.editor, logging.editor), which are not required just for writing logs and metrics.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You have deployed multiple Compute Engine instances in Google Cloud and need to make their monitoring metrics and logs accessible in Cloud Logging and Cloud Monitoring for your operations and security teams. How can you grant the necessary IAM roles to the Compute Engine service account while adhering to the principle of least privilege?
A
Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.
B
Grant the logging.admin and monitoring.editor roles to the Compute Engine service accounts.
C
Grant the logging.editor and monitoring.metricWriter roles to the Compute Engine service accounts.
D
Grant the logging.logWriter and monitoring.editor roles to the Compute Engine service accounts.