Explanation:
Option A is correct because it follows the principle of least privilege. The security team only needs to view logs across both environments, so granting logging.viewer at the organization level provides the necessary access without administrative permissions. The developers only need access to development logs, so granting logging.viewer at the folder level containing dev projects restricts their access appropriately. Option B is incorrect because it grants logging.admin to developers at the organization level, giving them unnecessary administrative permissions and access to production logs. Option C is incorrect because it grants logging.admin to the security team, providing unnecessary administrative permissions when they only need viewing capabilities. Option D is incorrect for the same reasons as B and C combined - it grants excessive administrative permissions to both teams.
Ultimate access to all questions.
No comments yet.
Your organization uses a top-level folder structure to separate production and development environments. Developers need access to view all audit logs for development but must be prevented from accessing production logs. The security team requires access to audit logs in both production and development. You need to assign the appropriate Identity and Access Management (IAM) roles at the correct resource hierarchy level for both teams while adhering to the principle of least privilege.
What should you do?
A
B
C
D