GCP Professional Cloud Security Engineer Practice Question

Your security team is creating an organization-level aggregated log sink that exports all Admin Activity and Data Access audit logs from every current and future project into a BigQuery dataset located in a central security project. The team must grant the sink's automatically-created service account the minimum predefined BigQuery IAM role that still allows the sink to create new tables and write log entries into the dataset, but nothing more. Which role should you assign to the service account on the destination dataset to meet these requirements?

BigQuery Data Owner (roles/bigquery.dataOwner) on the destination dataset
BigQuery User (roles/bigquery.user) on the destination dataset
BigQuery JobUser (roles/bigquery.jobUser) on the destination dataset
BigQuery Data Editor (roles/bigquery.dataEditor) on the destination dataset

Report Issue

Answer Description

When a Cloud Logging sink writes to BigQuery, its writer identity must be able to create new tables (if they do not yet exist) and insert rows into those tables. The least-privilege predefined role that provides exactly these capabilities on a dataset is BigQuery Data Editor (roles/bigquery.dataEditor). This role includes permissions such as bigquery.tables.create and bigquery.tables.updateData, which are required for the sink to function. Granting BigQuery Data Owner would also work but exceeds the minimum necessary privileges, while BigQuery User or BigQuery JobUser do not allow table creation or data insertion, so the export would fail.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.