GCP Professional Cloud Security Engineer Practice Question
Your organization aggregates all project logs into a centralized log bucket called org-logs. A security investigation team must see every log entry, including Data Access events, while application developers should see only log entries whose resource.labels.service_name="orders-service" field matches their micro-service and should never see Data Access logs or other services' traffic. What is the most secure and maintainable way to meet both requirements?
Enable Data Access logs at the project level and require developers to use the Logs Explorer's query builder for filtering; give everyone roles/logging.privateLogViewer on the org-logs bucket.
Grant the security team roles/logging.privateLogViewer on the org-logs bucket and give developers roles/logging.viewer on a log view that filters to the orders-service entries and excludes Data Access logs.
Create two additional log buckets: one with a sink that routes only orders-service logs for developers and one with all logs for the security team; grant both parties roles/logging.viewer on their respective buckets.
Export all Data Access logs to BigQuery, grant the security team the BigQuery Data Viewer role on the dataset, and allow developers to query the dataset with row-level access policies that expose only orders-service rows.
Grant the investigation team roles/logging.privateLogViewer on the org-logs bucket so they can read every entry, including Data Access logs. Create a log view on the same bucket that filters resource.labels.service_name="orders-service" and excludes logName:("/data_access") . Assign the developers the less-privileged roles/logging.viewer role on that view, not on the bucket. Log views provide field-level and log-type filtering without duplicating data, while bucket-level IAM plus the private-log viewer role gives the investigators comprehensive access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of `roles/logging.privateLogViewer` in GCP logging?
Open an interactive chat with Bash
What is a log view in GCP and how does it differ from a log bucket?
Open an interactive chat with Bash
How do log sinks and log views differ in GCP logging management?
Open an interactive chat with Bash
What is the difference between `roles/logging.privateLogViewer` and `roles/logging.viewer`?
Open an interactive chat with Bash
How do log views work in GCP?
Open an interactive chat with Bash
Why is using log views more secure and maintainable than creating additional log buckets?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .