Google Cloud Professional Cloud Security Engineer — Question 149

Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs, but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (IAM) roles at the right resource level for the developers and security team while you ensure least privilege.

What should you do?

Answer options

• A. 1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
• B. 1. Grant logging.viewer role to the security team at the organization resource level. 2. Grant logging.admin role to the developer team at the organization resource level.
• C. 1. Grant logging.admin role to the security team at the organization resource level. 2. Grant logging.viewer role to the developer team at the folder resource level that contains all the dev projects.
• D. 1. Grant logging.admin role to the security team at the organization resource level. 2. Grant logging.admin role to the developer team at the organization resource level.

Correct answer: A

Explanation

Option A is correct because it provides the necessary permissions for the security team to view all logs at the organization level while granting developers access to only the development logs at the folder level. Option B incorrectly gives the developer team the logging.admin role, which would allow them to see production logs. Option C assigns the logging.admin role to the security team, which is unnecessary since they only need viewer access. Option D grants excessive permissions to the developer team, violating the principle of least privilege.