Google Cloud Professional Cloud DevOps Engineer — Question 153

Your organization stores all application logs from multiple Google Cloud projects in a central Cloud Logging project. Your security team wants to enforce a rule that each project team can only view their respective logs and only the operations team can view all the logs. You need to design a solution that meets the security team s requirements while minimizing costs. What should you do?

Answer options

• A. Grant each project team access to the project _Default view in the central logging project. Grant togging viewer access to the operations team in the central logging project.
• B. Create Identity and Access Management (IAM) roles for each project team and restrict access to the _Default log view in their individual Google Cloud project. Grant viewer access to the operations team in the central logging project.
• C. Create log views for each project team and only show each project team their application logs. Grant the operations team access to the _AllLogs view in the central logging project.
• D. Export logs to BigQuery tables for each project team. Grant project teams access to their tables. Grant logs writer access to the operations team in the central logging project.

Correct answer: C

Explanation

Option C is correct because creating log views for each project team ensures they only see their specific logs while allowing the operations team to access all logs through the _AllLogs view. Option A does not restrict access appropriately, as it allows project teams to see all logs. Option B restricts access to individual projects but does not fulfill the requirement for the operations team to see all logs. Option D introduces unnecessary complexity and cost by exporting logs to BigQuery, which is not needed for this scenario.