Topic 1 Question 115
The security operations team needs access to the security-related logs for all projects in their organization. They have the following requirements: ✑ Follow the least privilege model by having only view access to logs. ✑ Have access to Admin Activity logs. ✑ Have access to Data Access logs. ✑ Have access to Access Transparency logs. Which Identity and Access Management (IAM) role should the security operations team be granted?
roles/logging.privateLogViewer
roles/logging.admin
roles/viewer
roles/logging.viewer
解説
ユーザの投票
コメント(9)
Answer = A
roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.
👍 13mouchu2022/05/17I think the correct answer is A. logging.admin is too broad a permission. We need to give "only view access to logs". And we need to: ✑ Have access to Admin Activity logs. ✑ Have access to Data Access logs. ✑ Have access to Access Transparency logs. Only the roles/logging.privateLogViewer role has all these permissions.
Private Logs Viewer (roles/logging.privateLogViewer) Provides permissions of the Logs Viewer role and in addition, provides read-only access to log entries in private logs. Lowest-level resources where you can grant this role: Project
After you've configured Access Transparency for your Google Cloud organization, you can set controls for who can access the Access Transparency logs by assigning a user or group the Private Logs Viewer role.
Links for reference: https://cloud.google.com/logging/docs/access-control https://cloud.google.com/cloud-provider-access-management/access-transparency/docs/reading-logs?hl=en
👍 4Nicky14022022/05/09- 正解だと思う選択肢: A
roles/logging.privateLogViewer (Private Logs Viewer) includes all the permissions contained by roles/logging.viewer, plus the ability to read Data Access audit logs in the _Default bucket.
👍 3cloudprincipal2022/06/05
シャッフルモード
