GCP Professional Cloud Security Engineer Practice Question
Your organization aggregates all Cloud Audit Logs from several production projects into a dedicated logging project. DevOps engineers must be able to view Admin Activity logs for troubleshooting but must not see any Data Access or Access Transparency entries. The security operations team requires full visibility into every audit record. Which configuration best applies the principle of least privilege while meeting both requirements?
Remove Logging IAM roles entirely, enable Cloud Storage object ACLs on the bucket, and give DevOps Storage Object Viewer while giving security operations Storage Object Admin.
Grant DevOps roles/logging.privateLogViewer and grant security operations roles/logging.admin; rely on default permissions.
Create a log view that filters out Admin Activity logs, then grant both teams roles/logging.viewer and have security operations switch views when needed.
Grant DevOps roles/logging.viewer on the centralized log bucket and grant security operations roles/logging.privateLogViewer; no extra log views are configured.
roles/logging.viewer allows users to read most log entries, but it automatically hides sensitive categories such as Data Access and Access Transparency logs. Giving this role to DevOps engineers lets them view Admin Activity logs yet blocks the private logs they are not authorized to see. roles/logging.privateLogViewer grants read-only access to all logs, including the private ones; assigning it to the security operations team satisfies their need for complete visibility. Because the permission boundary is already enforced by the roles themselves, no additional log views, object ACLs, or bucket-level work-arounds are necessary. Granting DevOps broader roles (for example, logging.privateLogViewer or logging.admin) or replacing Logging IAM roles with Cloud Storage ACLs would violate least-privilege principles or fail to give the correct level of access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is roles/logging.viewer and how does it restrict access?
Open an interactive chat with Bash
How does roles/logging.privateLogViewer differ from roles/logging.viewer?
Open an interactive chat with Bash
Why was enabling Cloud Storage object ACLs on the log bucket not correct?
Open an interactive chat with Bash
What is roles/logging.viewer in GCP and what does it allow?
Open an interactive chat with Bash
What is roles/logging.privateLogViewer and what is its purpose?
Open an interactive chat with Bash
How does GCP enforce the principle of least privilege in IAM roles for logging?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .