Google Cloud Associate Cloud Engineer — Question 105

You need to assign a Cloud Identity and Access Management (Cloud IAM) role to an external auditor. The auditor needs to have permissions to review your
Google Cloud Platform (GCP) Audit Logs and also to review your Data Access logs. What should you do?

Answer options

• A. Assign the auditor the IAM role roles/logging.privateLogViewer. Perform the export of logs to Cloud Storage.
• B. Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy.
• C. Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Perform the export of logs to Cloud Storage.
• D. Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Direct the auditor to also review the logs for changes to Cloud IAM policy.

Correct answer: B

Explanation

The correct answer is B because assigning the roles/logging.privateLogViewer role allows the auditor to review both Audit Logs and Data Access logs, and they should also monitor for changes to Cloud IAM policy. Options A and C fail to include the necessary directive about reviewing IAM policy changes, while D does not provide the appropriate role for reviewing both log types.