Google Cloud Professional Cloud Security Engineer Practice Exam

Which IAM role should be granted to provide view access to security-related logs while adhering to least privilege principles?

• A. roles/logging.viewer
• B. roles/logging.privateLogViewer
• C. roles/storage.objectViewer
• D. roles/logging.admin

The correct answer is: roles/logging.privateLogViewer

The appropriate IAM role to provide view access to security-related logs while following the principle of least privilege is the role designed specifically for access to sensitive logging information, such as private logs. The role `roles/logging.privateLogViewer` allows users to view logs that have restrictions and are limited to certain users or services, which is crucial for examining security-related logs without exposing unnecessary data or permissions to users. This role ensures that users have only the permissions required to access security logs and not beyond, aligning perfectly with the principles of least privilege. By restricting access, it minimizes the risk of unauthorized access to sensitive log information that may contain security insights or compliance-related data. The other roles mentioned do not cater specifically to the nuance of security-related logs. For instance, `roles/logging.viewer` offers broader access to logs, which could compromise the least privilege principle by allowing visibility into other logging events beyond what may be appropriate for security monitoring. The `roles/storage.objectViewer` role is primarily for viewing objects in Cloud Storage, which is unrelated to logging access. Meanwhile, `roles/logging.admin` grants a high level of access, including permissions to modify logs, going against the principle of least privilege by providing more access than is necessary for just viewing logs.