Answer-first summary for fast verification
Answer: roles/logging.privateLogViewer
The question requires a role that provides view-only access to Admin Activity logs, Data Access logs, and Access Transparency logs while following the least privilege principle. Based on Google Cloud documentation and the community discussion consensus (with option A receiving 86% support and multiple upvoted comments referencing official documentation): - **roles/logging.privateLogViewer (A)**: This role includes all permissions from roles/logging.viewer plus the ability to read Data Access audit logs in the _Default bucket and Access Transparency logs. It specifically provides access to all required log types without granting unnecessary permissions. - **roles/logging.viewer (D)**: While this role provides access to Admin Activity logs and some logs, it does NOT include access to Data Access audit logs or Access Transparency logs, making it insufficient for the requirements. - **roles/logging.admin (B)**: This role provides administrative permissions (including write/delete capabilities), violating the least privilege requirement of 'only view access to logs'. - **roles/viewer (C)**: This is a broad project-level role that grants view access to all project resources, not just logs, which violates the least privilege principle. The community discussion strongly supports A, with multiple comments citing official Google documentation confirming that roles/logging.privateLogViewer is specifically designed for viewing private logs including Data Access and Access Transparency logs.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A security operations team requires access to view all security-related logs across their organization's projects. The requirements are:
Which single pre-defined IAM role meets these requirements?
A
roles/logging.privateLogViewer
B
roles/logging.admin
C
roles/viewer
D
roles/logging.viewer