You need to configure IAM access audit logging in BigQuery for external auditors.
You want to follow Google-recommended practices.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
https://cloud.google.com/iam/docs/roles-audit-loggingTo configure IAM access audit logging in BigQuery for external auditors and follow Google-recommended practices, the correct approach is to create two new custom IAM roles and add the auditor user accounts to those roles. Therefore, option D is the correct answer.
Here is the explanation for each option:
A. Add the auditors group to the logging.viewer and bigQuery.dataViewer predefined IAM roles. This option is not recommended because it grants excessive permissions to the auditors. The logging.viewer and bigQuery.dataViewer roles provide read access to all logs and data in BigQuery, which can result in a potential data breach or violation of privacy regulations.
B. Add the auditors group to two new custom IAM roles. This option is close to the correct answer but it is incomplete. While creating two new custom IAM roles is a good practice, it is necessary to specify the exact permissions required for auditing purposes. The roles can be named as per the organization's naming convention, and they should include only the necessary permissions for the auditors to review IAM access logs in BigQuery.
C. Add the auditor user accounts to the logging.viewer and bigQuery.dataViewer predefined IAM roles. This option is not recommended for the same reason as option A. It grants excessive permissions to the auditors, which can result in unauthorized access to sensitive data.
D. Add the auditor user accounts to two new custom IAM roles. This is the correct option because it follows the recommended practice of creating custom IAM roles with specific permissions for external auditors. The roles should be created with the minimum necessary permissions to view IAM access logs in BigQuery. By doing so, the organization can provide auditors with the necessary access while minimizing the risk of data breaches or privacy violations.
In summary, the recommended approach is to create two new custom IAM roles with specific permissions for the external auditors and add the auditor user accounts to those roles.