Answer-first summary for fast verification
Answer: Assign the Logs Configuration Writer role to developers in the staging Project
The correct approach is to assign the Logs Configuration Writer role to developers in the staging Project. This role is sufficient for creating logs-based metrics without granting excessive permissions. The Logs Admin role is overly permissive, especially if assigned at the folder level, as it would inadvertently grant developers access to production project logs. The principle of least privilege is upheld by limiting permissions to only what is necessary for the task at hand. For more details, refer to the Log-based metrics overview.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Imagine you're overseeing an application within a Google Cloud Platform (GCP) organization that produces a significant volume of logs in the staging Project. The organization comprises two folders (dev and prod) and four projects (dev, test, staging, and production), with dev and test projects located in the dev folder, and staging and production projects in the prod folder. The goal is to create metrics from these logs for alerting purposes, specifically for this application, while adhering to the principle of least privilege. Which IAM solution best meets this requirement?
A
Grant the Logs Configuration Writer role to developers in the prod Folder
B
Assign the Logs Admin role to developers in the staging Project
C
Provide the Logs Admin role to developers in the prod Folder
D
Assign the Logs Configuration Writer role to developers in the staging Project
No comments yet.