GCP Professional Cloud Security Engineer Practice Question
Your organization has hundreds of Google Cloud projects underneath a single organization node. You are asked to centralize all Admin Activity and Data Access audit logs in a dedicated Cloud Storage bucket named org-audit-archive that resides in the security-logs project. You decide to create one organization-level aggregated log sink targeting the bucket. To satisfy the principle of least privilege, which IAM role must you grant to the sink's writer identity on the bucket?
Grant roles/storage.legacyBucketWriter on the org-audit-archive bucket
Grant roles/storage.objectCreator on the org-audit-archive bucket
Grant roles/logging.logWriter on the org-audit-archive bucket
Grant roles/storage.admin on the security-logs project
A log sink that exports to Cloud Storage is implemented as a writer identity service account. That identity already has permission to read logs, but it cannot write objects to a bucket that lives in another project unless you grant it Cloud Storage permissions. The minimum permission needed is storage.objects.create, which is included in the predefined role roles/storage.objectCreator. Granting broader roles such as roles/storage.admin or legacyBucketWriter would violate least-privilege, and roles/logging.logWriter does not provide any Cloud Storage permissions, so it would fail to deliver logs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege?
Open an interactive chat with Bash
What is a sink's writer identity in Google Cloud?
Open an interactive chat with Bash
Why is roles/storage.objectCreator preferable to roles/storage.admin for log exports?
Open an interactive chat with Bash
What is an aggregated log sink in Google Cloud?
Open an interactive chat with Bash
What is the principle of least privilege in IAM?
Open an interactive chat with Bash
What is the roles/storage.objectCreator IAM role in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .