You need to assign a Cloud Identity and Access Management (Cloud IAM) role to an external auditor.
The auditor needs to have permissions to review your Google Cloud Platform (GCP) Audit Logs and also to review your Data Access logs.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Sure, I'd be happy to provide a detailed explanation of the answer choices for this question.
The question asks you to assign a Cloud IAM role to an external auditor, who needs to review both GCP Audit Logs and Data Access logs. Here are the answer choices:
A. Assign the auditor the IAM role roles/logging.privateLogViewer. Perform the export of logs to Cloud Storage.
This answer suggests assigning the "roles/logging.privateLogViewer" role to the auditor, which allows them to view private logs that are not available to the public. It also suggests exporting the logs to Cloud Storage. However, this role only provides access to logging information, and it does not provide access to data access logs. Therefore, this answer is not correct.
B. Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy.
This answer is similar to the previous one, but it suggests directing the auditor to also review the logs for changes to Cloud IAM policy. While this may be useful information for an auditor, it does not provide them with access to the data access logs they need to review. Therefore, this answer is also not correct.
C. Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Perform the export of logs to Cloud Storage.
This answer suggests creating a custom role for the auditor that includes the "logging.privateLogEntries.list" permission. This permission allows the auditor to view private logs, including GCP Audit Logs and Data Access logs. Additionally, it suggests exporting the logs to Cloud Storage. Therefore, this answer is correct.
D. Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Direct the auditor to also review the logs for changes to Cloud IAM policy.
This answer is similar to answer choice B, but it suggests creating a custom role for the auditor that includes the "logging.privateLogEntries.list" permission. While this would provide the auditor with access to the necessary logs, directing them to also review Cloud IAM policy logs is not relevant to their request. Therefore, this answer is also not correct.
In summary, the correct answer is C: Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Perform the export of logs to Cloud Storage. This answer provides the auditor with the necessary permissions to review GCP Audit Logs and Data Access logs, and it also suggests exporting the logs to Cloud Storage for their review.