Associate Cloud Engineer Exam QuestionsBrowse all questions from this exam

Associate Cloud Engineer Exam - Question 25


You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices. What should you do?

Show Answer
Correct Answer: A

To configure IAM access audit logging in BigQuery for external auditors while following Google-recommended practices, you should add the auditors group to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles. This ensures that auditors have the necessary permissions to view audit logs and data in BigQuery without granting them more access than needed. Using predefined roles simplifies management and adheres to the principle of least privilege, and using groups rather than individual user accounts facilitates easier and more scalable access control.

Discussion

82 comments
Sign in to comment
coldpar
Mar 15, 2020

Correct is A. As per google best practices it is recommended to use predefined roles and create groups to control access to multiple users with same responsibility

droogie
Jul 4, 2020

You assume Auditors Group = External Auditors only. Auditors Group may contain both Internal and External Auditors.

robor97
Dec 2, 2020

The question literally says - External Auditors

adeice
Mar 24, 2021

I can create External group and Internal group Auditors

robor97
Dec 2, 2020

The question literally says - External Auditors

adeice
Mar 24, 2021

I can create External group and Internal group Auditors

here2help
Apr 30, 2021

It's crazy to me how who ever answered these, answers them incorrectly and then puts a link up that directly contradicts themselves. The correct answer is A. Google always recommends adding users to a group and then giving the group access. Additionally, Google recommends to use predefined roles since they have been well thought out when created, and are there to save companies the hassle of having to know what granular access every single person needs.

leba
Apr 28, 2020

Correct is C The organization creates a temporary auditor account for each audit period. This account is monitored and is typically granted access to the dashboard application.

smanoj85
Mar 19, 2023

Correct Answer is B By creating a custom IAM role, you can specify the exact permissions that the auditors need, and avoid granting them unnecessary permissions that come with predefined IAM roles. In this case, you can create two custom IAM roles: one for 'logging.viewer' and one for 'bigQuery.dataViewer', and grant the corresponding permissions to each role. Then, you can add the auditors group to these custom roles to give them access to the required logs and data.

smanoj85
Mar 19, 2023

Correct Answer is B Option A is incorrect because the logging.viewer and bigQuery.dataViewer roles only grant read access to logs and data in BigQuery, respectively. These roles do not provide audit logging capabilities. Option C is incorrect because it suggests adding individual user accounts to the roles, whereas the question specifically asks for adding an auditors group. In addition, adding individual user accounts can be difficult to manage and does not scale well as the number of auditors increases. It is generally recommended to use groups for managing access whenever possible. Option D suggests adding the auditor user accounts to two new custom IAM roles, which could work. However, the question specifically asks for following Google-recommended practices. The recommended practice is to use predefined roles over custom roles whenever possible. Therefore, option B, which suggests adding the auditors group to two new custom IAM roles, is not recommended.

YourCloudGuruOption: A
Sep 27, 2023

The correct answer is A. This option follows Google-recommended practices, because it allows you to grant auditors access to view audit logs without granting them access to other resources in your project. The other options are not as good: * Option B is not as good, because it requires you to create two new custom IAM roles. This can be complex and time-consuming. * Option C is not as good, because it grants auditors access to all audit logs in your project, including audit logs for resources that they do not need access to. * Option D is not as good, because it grants auditors access to all data in your BigQuery datasets, including data that they do not need access to.

Nikimiki
Nov 22, 2021

The true evil is this question itself is so dumb, so American, so confusing.... two options A and C are both arguably correct on their own term. The big question is why this kind of vague, ambiguous questions show up in the exam to create confusion. It is not testing technical skill or knowledge, but it is starting a whole new philosophical debate! Another oddity is who has the golden key for all these questions? Who is showing you those "Correct Answer" when you click on the "Reveal Answer"? This nation is increasingly dumber and dumber!

GreenTick
Dec 2, 2021

they expect the best answer (efficient, low cost, best practice).

BobbybashOption: B
Feb 12, 2023

B.... The recommended practice for configuring IAM access audit logging in BigQuery is to create two custom IAM roles for auditors: one with the bigquery.datasets.get permission, and the other with the bigquery.tables.getData permission. You should then add the auditors group to these custom IAM roles. This will allow auditors to view metadata about datasets and access data within tables, while preventing them from performing other operations on the BigQuery resources. Therefore, option B is the correct answer.

skindar
Apr 27, 2024

Answer A https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

ArtistS
Oct 17, 2023

A is correct. 1st you should know this is a exam. Google recommend xxx means you should choose group first.

ankit89
Apr 30, 2020

Option A is correct, see document, https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

mlantonis
Jun 6, 2020

Correct is A as you use group and predefined roles.

poogcp
Jun 10, 2020

A is the correct one , as per google recommended practice , assign role to group instead of user

ESP_SAP
Aug 15, 2020

Correct asnwer is A: Based on : Delegate responsibility with groups and service accounts We recommend collecting users with the same responsibilities into groups and assigning IAM roles to the groups rather than to individual users.

glam
Oct 7, 2020

A. Add the auditors group to the "˜logging.viewer' and "˜bigQuery.dataViewer' predefined IAM roles.

GCP_Student1
Jan 25, 2021

C is the correct option; https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

GCP_Student1
Feb 21, 2021

I will take it back answer is A A. Add the auditors group to the "˜logging.viewer' and "˜bigQuery.dataViewer' predefined IAM roles.

GCP_Student1
Feb 21, 2021

https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

jay1992
Aug 17, 2021

You nailed it

rafsrodOption: A
Dec 17, 2021

A. Add the auditors group to the ג€˜logging.viewerג€™ and ג€˜bigQuery.dataViewerג€™ predefined IAM roles. Check: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

vijay456Option: C
Oct 29, 2022

there is no group created and no option syas create group too, so provided option C is suitable best answer

BuruguduystunstugudunstuyOption: B
Feb 19, 2023

I would say that Answer A is not the correct answer. While it is true that adding the auditor's group to the 'logging.viewer' and 'bigQuery.dataViewer' roles would allow them to view the logs and data in BigQuery, it does not enable IAM access audit logging. The correct answer is Answer B - Add the auditors group to two new custom IAM roles. You should create custom IAM roles with the necessary permissions to view IAM audit logs in BigQuery and assign those roles to the auditor's group. This follows the Google-recommended practice of using custom roles to grant least privilege access to resources. Answer C is incorrect because you should not add users' accounts to predefined IAM roles like logging.viewer or bigQuery.dataViewer. Predefined roles are meant to provide a general set of permissions for common use cases, and adding users or groups to them may grant them unnecessary access. Answer D is not the best practice as it is better to create separate custom IAM roles for each type of user rather than combining them.

Captain1212Option: A
Sep 1, 2023

Google Recommended Practice A is the correct Answer add the users in the group then grant them the access

hems4all
Nov 1, 2020

Answer is A: Grant the auditors’ group roles/logging.viewer and roles/bigquery.dataViewer IAM roles. is the right answer. For external auditors, Google recommends we grant logging.viewer and bigquery.dataViewer roles. Since auditing happens several times a year to review the organization's audit logs, it is recommended we create a group with these grants and assign the group to auditor user accounts during the time of the audit. Ref: https://cloud.google.com/iam/docs/roles-audit-logging#scenario_external_auditors

JKRowlings
Dec 14, 2020

Ans is A. Best practice for easier management of user account is to use group.

INASR
Jan 26, 2021

Correct is A. Scenario: External auditors (From Google Documents) In this scenario, audit logs for an organization are aggregated and exported to a central sink location. A third-party auditor is granted access several times a year to review the organization's audit logs. The auditor is not authorized to view PII data in the Admin Activity logs. To comply with this requirement, a dashboard is available that provides access to the historic logs stored in BigQuery, and on request, to the Cloud Logging Admin Activity logs. The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application.

r1ck
Apr 13, 2021

A : always use groups as possible

TenshiDOption: A
Nov 20, 2021

A is correct

AndresBayonaOption: A
Dec 7, 2021

https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

SekiererOption: A
Dec 20, 2021

A is correct

sasonianOption: A
Dec 31, 2021

A is the answer

YaaElonOption: A
May 8, 2022

Best practice is to add to groups

AzureDP900
Jun 23, 2022

A is right.. don't fall on trap with C

PKookNNOption: A
Oct 11, 2022

best practices recommend going with group instead of individual users so A is more correct than C

glanshima
Dec 12, 2022

Correct A The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. see: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

ExamsFROption: A
Jul 20, 2023

Correct answer is A

gsmasadOption: A
Nov 1, 2023

AS per Google best practices the roles should be assigned to a group & not to individual users

thewalkerOption: A
Nov 22, 2023

A Create a group with the auditors, grant 'logging.viewer' and 'bigQuery.dataViewer roles to the group on a table / view with the required data.

sinh
Dec 24, 2023

https://cloud.google.com/iam/docs/job-functions/auditing?hl=ja#scenario_external_auditors

AZahid
Sep 1, 2020

A * The organization creates a Google group for these external auditors https://cloud.google.com/iam/docs/job-functions/auditing

prasanu
Oct 6, 2020

Ans is A, As google recommnds always create a group and add role into the group

glam
Oct 6, 2020

A.......

glam
Oct 7, 2020

A. Add the auditors group to the "˜logging.viewer' and "˜bigQuery.dataViewer' predefined IAM roles.

bayurzx
Oct 7, 2020

The correct answer is A. As you can see in this link for a scenario with external auditors https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

Anonymous
Oct 25, 2020

Vote A, easier to manage with group

swatititame
Nov 15, 2020

• A. Add the auditors group to the "˜logging.viewer' and "˜bigQuery.dataViewer' predefined IAM roles.

vara3dk
Dec 25, 2020

Correct Ans is A The organization creates a Google group for these external auditors and adds the current auditor to the group. logging.viewer and bigQuery.dataViewer

krunals
Dec 26, 2020

Correct Answer is A It is always best practice to create a group, add team members to it and provide access to group. It is always easy to add/remove team members to group.

nherrerab
Jan 15, 2021

A is correct.

Nickkk
Feb 18, 2021

Answer : A Srouce : https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

Vinod87
Feb 25, 2021

Correct is A.

JackGlemins
Feb 27, 2021

A is right: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application.

Rimjith
Mar 1, 2021

"Audit group" is not available by default and option A is not saying to create to one. So I believe possible answer is Option C

Jacky_YO
Mar 2, 2021

My Answer : C https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors Scenario: External auditors Role: Logging.viewer , Resource : Organization , Member : Dashboard Service Account , Description :The logging.viewer role permits the service account to read the Admin Activity logs in Cloud Logging. ex: { "bindings": [{ "role": "roles/logging.viewer", "members": [ "serviceAccount:prod-project-dashboard@admin-resources.iam.gserviceaccount.com" ] }] }

pas77
Jul 7, 2021

You really didn't read the link you've provided. It clearly shows to add users to a group. Coinciding with option A.

EABDAJA
Mar 10, 2021

A is correct

tarang3
Mar 13, 2021

Answer is C

tavva_prudhvi
Mar 21, 2021

Refer to this article, it clearly mentioned option A, and the best-recommended practices are to give permissions to groups. https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

tarang3
Mar 26, 2021

@tavva_prudhvi i agree upon checking the link provided by you that the answer is "A"

[Removed]
Mar 24, 2021

A is correct. Add the auditors group to the ג€˜logging.viewerג€™ and ג€˜bigQuery.dataViewerג€™ predefined IAM roles.

pca2b
Mar 24, 2021

A: Use groups when possible, and Use predefined roles when possible

max94
Apr 28, 2021

Correct is A. And here is explanation why its A and not B: Predefined roles are created and maintained by Google. Google automatically updates their permissions as necessary, such as when Google Cloud adds new features or services. Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, your custom roles will not be updated automatically. https://cloud.google.com/iam/docs/understanding-custom-roles

mcaromit
May 11, 2021

A seems correct, though the question is not entirely clear to me

Student7
Jul 15, 2021

A. Add the auditors group to the "˜logging.viewer' and "˜bigQuery.dataViewer' predefined IAM roles.

Shruti_Pal
Aug 21, 2021

A is correct

ankatsu2010
Sep 25, 2021

Add user/group to role or add role to user/group?

Jaira1256
Nov 19, 2021

A is correct

vishnukumartr
Nov 19, 2021

A. Add the auditors group to the ג€˜logging.viewerג€™ and ג€˜bigQuery.dataViewerג€™ predefined IAM roles.

shawnkkk
Nov 19, 2021

A. Add the auditors group to the ג€˜logging.viewerג€™ and ג€˜bigQuery.dataViewerג€™ predefined IAM roles.

alaahakim
Nov 19, 2021

Correct is A

AndresBayona
Dec 7, 2021

I gess the correct answer is A beacuse of this link https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

Raz0rOption: A
Jan 11, 2022

A is right no cap

Echo89
Apr 11, 2022

A for sure

theBestStudent
Apr 22, 2022

Answer is A. Google recommended practices is to use PREDEFINED roles (As in this case we need granularity to give specific roles to the group). And also use groups

jgnogueiraOption: A
Apr 26, 2022

The main best practice in any attribution of permission is to create a group

haroldbenites
May 23, 2022

Go for A https://cloud.google.com/iam/docs/job-functions/auditing https://cloud.google.com/iam/docs/job-functions/auditing

haroldbenites
May 23, 2022

Scenario: External auditors The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. During normal access, the auditors' Google group is only granted access to view the historic logs stored in BigQuery. If any anomalies are discovered, the group is granted permission to view the actual Cloud Logging Admin Activity logs via the dashboard's elevated access mode. At the end of each audit period, the group's access is then revoked. Data is redacted using Cloud DLP before being made accessible for viewing via the dashboard application. The table below explains IAM logging roles that an Organization Administrator can grant to the service account used by the dashboard, as well as the resource level at which the role is granted.

RanjithK
Jul 2, 2022

Answer is A

12234Option: A
Aug 7, 2022

A is correct

iadarshOption: A
Sep 13, 2022

A is Correct Because if you directly add users to the IAM roles, then if any users left the organization then you have to remove the users from multiple places and need to revoke his/her access from multiple places. But, if you put a user into a group then its very easy to manage these type of situations. Now, if any user left then you just need to remove the user from the group and all the access got revoked

Cornholio_LMC
Sep 24, 2022

had this question today

PSS387Option: A
Oct 21, 2022

Google recommends to group users to allow permissions

leogor
Oct 23, 2022

A, auditors group

asallo
Mar 11, 2023

A is the most appropriate Answer

vinodthakur49Option: C
Jul 16, 2023

There is no group created already, so C is the right answer.

sthapit
Aug 9, 2023

C Option A, which suggests adding the auditors group to predefined roles, might not be as appropriate as using individual auditor user accounts. It's generally a best practice to assign permissions to specific users rather than groups, as it provides better granularity and control over access.

sinhOption: A
Jan 16, 2024

auditors group

andreiboaghe95Option: A
Jun 10, 2024

correct answer is A

garg.vnay
Jul 24, 2024

Correct Answer is A. you should add a role to the group of users instead of adding particular users in IAM

CloudmohOption: A
Feb 10, 2025

Based on best practices, A group should be created, and both auditors should be added and predefined 'logging.viewer' and 'bigQuery.dataViewer roles will be granted.

tabnazOption: A
Mar 2, 2025

Correct is A.