Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Google Exam Professional-Cloud-DevOps-Engineer Topic 2 Question 71 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 71
Topic #: 2
[All Professional Cloud DevOps Engineer Questions]

You have deployed a fleet Of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: A

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1. This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1. To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

The logging.logWriter role allows the service account to write log entries to Cloud Logging4.

The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose. For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.


Service accounts, Service accounts. Setting up Stackdriver Logging for Compute Engine, Setting up Stackdriver Logging for Compute Engine. Setting up Stackdriver Monitoring for Compute Engine, Setting up Stackdriver Monitoring for Compute Engine. Predefined roles, Predefined roles. Predefined roles, Predefined roles. Predefined roles, Predefined roles. [Predefined roles], Predefined roles. [Predefined roles], Predefined roles.

by Pansy at Jun 29, 2024, 06:10 AM

Limited Time Offer

25%

Off

Get Premium Professional-Cloud-DevOps-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Linwood
3 months ago
I think option A is the best choice, it follows the principle of least privilege while granting the necessary access.
upvoted 0 times
...
Brent
3 months ago
I'm not sure, maybe we should also consider the logging.logwriter role for more granular control.
upvoted 0 times
...
Chu
3 months ago
This one's a toughie, but I'm going to go with D. I mean, who doesn't love a good dose of logging and monitoring? It's like the chocolate and peanut butter of cloud security!
upvoted 0 times
Amalia
3 months ago
I agree, D seems like the best choice for granting the necessary roles to the Compute Engine service account.
upvoted 0 times
...
Karan
3 months ago
I think D is the correct answer too. Logging and monitoring go hand in hand.
upvoted 0 times
...
...
Elden
3 months ago
D all the way! Gotta love that principle of least privilege. I bet the exam writer is a real stickler for security best practices.
upvoted 0 times
...
Robt
3 months ago
I agree with Kanisha, those roles provide the necessary access for monitoring metrics and logs.
upvoted 0 times
...
Delpha
3 months ago
Hmm, I'm not sure about this one. I'm going to go with B just to be safe. I don't want to risk any security issues, you know?
upvoted 0 times
Isaiah
2 months ago
User1: Alright, let's go with B then.
upvoted 0 times
...
Wava
2 months ago
User3: B sounds good to me too.
upvoted 0 times
...
Kenneth
2 months ago
User2: I agree, let's go with B.
upvoted 0 times
...
Twana
2 months ago
User1: I think B is the right choice.
upvoted 0 times
...
...
Kanisha
3 months ago
I think we should grant the logging.editor and monitoring.metricwriter roles.
upvoted 0 times
...
Merissa
3 months ago
The answer is clearly D. Logging and monitoring are critical for operations and security teams, and granting the least privileged roles is a must. Nice question!
upvoted 0 times
Kiley
3 months ago
Yes, D is the correct answer for this scenario.
upvoted 0 times
...
Ngoc
3 months ago
I agree, granting the least privileged roles is crucial for security.
upvoted 0 times
...
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77