Answer-first summary for fast verification
Answer: 1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
Option A is correct because it follows the principle of least privilege. The security team only needs to view logs across both environments, so granting logging.viewer at the organization level provides the necessary access without administrative permissions. The developers only need access to development logs, so granting logging.viewer at the folder level containing dev projects restricts their access appropriately. Option B is incorrect because it grants logging.admin to developers at the organization level, giving them unnecessary administrative permissions and access to production logs. Option C is incorrect because it grants logging.admin to the security team, providing unnecessary administrative permissions when they only need viewing capabilities. Option D is incorrect for the same reasons as B and C combined - it grants excessive administrative permissions to both teams.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your organization uses a top-level folder structure to separate production and development environments. Developers need access to view all audit logs for development but must be prevented from accessing production logs. The security team requires access to audit logs in both production and development. You need to assign the appropriate Identity and Access Management (IAM) roles at the correct resource hierarchy level for both teams while adhering to the principle of least privilege.
What should you do?
A
B
C
D
No comments yet.