GCP Professional Cloud Security Engineer Practice Question
Your organization aggregates all VPC Flow Logs and firewall rule logs from every project into a centralized log bucket called "net-sec-logs" that is hosted in the security project. A third-party network-operations contractor needs temporary, read-only access so they can investigate network performance issues. However, for compliance reasons the contractor must not be able to view any Cloud Audit Data Access logs or other private log entries that might also be stored in the same bucket in the future. Which single IAM role should you grant on the log bucket to meet both requirements while following the principle of least privilege?
Grant roles/logging.viewer on the "net-sec-logs" bucket.
Grant roles/logging.admin on the "net-sec-logs" bucket.
Grant both roles/logging.viewer and roles/logging.privateLogViewer on the "net-sec-logs" bucket.
Grant roles/logging.privateLogViewer on the "net-sec-logs" bucket.
VPC Flow Logs and firewall rule logs are regular (public) log entries. Granting the role roles/logging.viewer on the log bucket lets a principal read all non-private log entries in that bucket but does not include the permissions logging.privateLogEntries.get or logging.privateLogEntries.list, which are required to view Cloud Audit Data Access or other private logs. Because the contractor does not receive those private-entry permissions, they remain unable to see sensitive Data Access logs while still having read-only visibility into the required network logs. Granting roles/logging.privateLogViewer, roles/logging.admin, or a combination of viewer and privateLogViewer would violate the requirement by exposing private logs or providing excessive permissions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of VPC Flow Logs and firewall rule logs?
Open an interactive chat with Bash
What does the `roles/logging.viewer` IAM role allow a user to do?
Open an interactive chat with Bash
What is the principle of least privilege, and why is it important in IAM roles?
Open an interactive chat with Bash
What is a VPC Flow Log?
Open an interactive chat with Bash
What is the principle of least privilege?
Open an interactive chat with Bash
What is the difference between `roles/logging.viewer` and `roles/logging.privateLogViewer`?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .