GCP Professional Cloud Security Engineer Practice Question
In a centralized logging project, all project logs flow into an organization-level bucket called org-sec-logs. Requirements: 1) Tier-1 analysts must read every entry, including Data Access audit logs. 2) Each project's tech lead must see only that project's logs and must never see Data Access audit logs. 3) A compliance-automation service account must adjust bucket retention and create new log buckets and views. Which IAM and log-view configuration meets these needs with the least privilege?
Grant roles/logging.privateLogViewer on the logging project to both analysts and tech leads; grant roles/logging.configWriter on the org-sec-logs bucket to the compliance service account; create per-project log sinks for tech leads.
Grant roles/viewer at the organization level to analysts; create a per-project log view and grant roles/logging.privateLogViewer on the view to each tech lead; grant roles/logging.viewer on the org-sec-logs bucket to the compliance service account.
Grant roles/logging.viewer to analysts; grant roles/logging.privateLogViewer to each tech lead; grant the compliance service account the Owner role on the logging project without using log views.
Grant roles/logging.privateLogViewer on the org-sec-logs bucket to analysts; create a per-project log view that excludes logName entries matching data_access and grant roles/logging.viewer on that view to each tech lead; grant roles/logging.admin on the logging project to the compliance service account.
Granting roles/logging.privateLogViewer on the org-sec-logs bucket lets analysts read all log entries, including Data Access audit logs. Creating a per-project log view with a filter such as resource.labels.project_id="PROJECT_ID" AND -logName:(data_access) ensures the view contains only that project's non-private logs. Granting roles/logging.viewer on the corresponding view restricts each tech lead to those entries. The compliance service account must call logging.buckets.update to set retention and logging.buckets.create and logging.views.* to create additional buckets and views; these permissions are included in roles/logging.admin when it is granted on the logging project (the parent resource). This configuration fulfills every requirement without granting broader access than necessary. The distractor choices either deny analysts access to Data Access logs, expose private logs to tech leads, or fail to let the service account create buckets or modify retention.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the significance of the roles/logging.privateLogViewer role?
Open an interactive chat with Bash
How does creating per-project log views help restrict access to logs?
Open an interactive chat with Bash
Why is the roles/logging.admin role necessary for the compliance service account?
Open an interactive chat with Bash
What does roles/logging.privateLogViewer allow a user to do?
Open an interactive chat with Bash
How do log views work in GCP logging?
Open an interactive chat with Bash
What permissions does roles/logging.admin provide?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .