Google Cloud Professional Cloud DevOps Engineer — Question 121

You have deployed a fleet of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

Answer options

• A. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.
• B. Grant the logging.admin and monitoring.editor roles to the Compute Engine service accounts.
• C. Grant the logging.editor and monitoring.metricWriter roles to the Compute Engine service accounts.
• D. Grant the logging.logWriter and monitoring.editor roles to the Compute Engine service accounts.

Correct answer: A

Explanation

The correct answer is A, as the logging.logWriter role allows the service account to write logs to Cloud Logging, and the monitoring.metricWriter role permits it to write metrics to Cloud Monitoring, adhering to the principle of least privilege. Options B and C provide broader permissions than necessary, while D incorrectly includes the monitoring.editor role, which is not required for the specified needs.