Google Cloud Professional Cloud Security Engineer Practice Exam

When granting IAM roles for audit log access in different application environments, what should you do for the developers?

• A. Grant logging.viewer role at the organization level
• B. Grant logging.viewer role at the project level
• C. Grant logging.viewer role at the folder level for dev projects
• D. Grant logging.admin role at the folder level for the organization

The correct answer is: Grant logging.viewer role at the folder level for dev projects

Granting the logging.viewer role at the folder level for development projects is advantageous as it enables finer control over access to audit logs. By assigning this role at the folder level, only the necessary teams and projects under that particular folder gain visibility into log data. This is particularly important in environments with multiple projects, ensuring that developers can access relevant logs without having an undue exposure to sensitive logs associated with other projects or production environments. This approach balances accessibility for developers with security best practices, segregating environments to minimize risk. It also allows organizations to maintain clear boundaries between development, testing, and production environments, showcasing an understanding of the principle of least privilege, where users are granted only those permissions that are essential for their duties. Choosing to grant the logging.viewer role at a broader level, such as the organization or project level, could inadvertently provide more access than necessary, increasing the potential for mismanagement or accidental exposure of sensitive information. Therefore, assigning this role specifically at the folder level designed for development strikes an optimal balance between access and control, enabling developers to perform their auditing tasks effectively while maintaining security.