Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud DevOps Engineer Exam - Topic 3 Question 67 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 67
Topic #: 3
[All Professional Cloud DevOps Engineer Questions]

You have deployed a fleet Of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: A

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1. This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1. To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

The logging.logWriter role allows the service account to write log entries to Cloud Logging4.

The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose. For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.


Service accounts, Service accounts. Setting up Stackdriver Logging for Compute Engine, Setting up Stackdriver Logging for Compute Engine. Setting up Stackdriver Monitoring for Compute Engine, Setting up Stackdriver Monitoring for Compute Engine. Predefined roles, Predefined roles. Predefined roles, Predefined roles. Predefined roles, Predefined roles. [Predefined roles], Predefined roles. [Predefined roles], Predefined roles.

by Rodolfo at May 07, 2024, 01:19 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud DevOps Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Cecilia
4 months ago
I’m surprised that logging.editor is even an option here.
upvoted 0 times
...
Dorothea
4 months ago
I thought logging.admin was necessary for full access?
upvoted 0 times
...
Emile
4 months ago
Wait, are we sure about the roles in option B? Seems too broad.
upvoted 0 times
...
Zita
4 months ago
Definitely agree with D! Makes the most sense.
upvoted 0 times
...
Diego
4 months ago
I think option D is the best choice for least privilege.
upvoted 0 times
...
Yasuko
5 months ago
I feel like option B might be too broad with "admin" roles, which doesn't align with least privilege. I think we should stick to more specific roles like in option D.
upvoted 0 times
...
Martha
5 months ago
I practiced a similar question where we had to assign roles for monitoring, and I feel like "metricWriter" is definitely important, but I can't remember if it was in option A or D.
upvoted 0 times
...
Merissa
5 months ago
I think option D sounds familiar because it mentions both logging and monitoring roles, but I can't recall if "logWriter" is the correct spelling.
upvoted 0 times
...
Brandon
5 months ago
I remember we discussed the principle of least privilege, but I'm not sure which specific roles are the most appropriate for this scenario.
upvoted 0 times
...
Arminda
5 months ago
This seems straightforward. The question is asking us to grant the appropriate roles to the Compute Engine service accounts, so I'll go with option D to cover the logging and monitoring requirements.
upvoted 0 times
...
Dorothea
5 months ago
I'm a bit confused on the difference between the logging.editor and logging.logwriter roles. I'll need to double-check the documentation to make sure I understand the distinction.
upvoted 0 times
...
Sue
5 months ago
Okay, I think I've got this. The key is to grant the minimum required permissions for the Compute Engine service accounts to access logging and monitoring.
upvoted 0 times
...
Valentin
5 months ago
Hmm, this looks like a tricky IAM permissions question. I'll need to carefully review the available roles and think through the principle of least privilege.
upvoted 0 times
...
Junita
6 months ago
Okay, let's break this down step-by-step. First, I know a buffer cache is used to improve performance by caching frequently accessed data. Then I need to look at each statement and determine which ones are true based on my understanding of how a buffer cache works.
upvoted 0 times
...
Francis
6 months ago
I wonder if cross-storage device vertical tiering could help with performance; it sounds familiar but I'm not confident about applying it in this context.
upvoted 0 times
...
Izetta
2 years ago
I agree. Option C is also higher access than needed. Let's go with D.
upvoted 0 times
...
Kimbery
2 years ago
Option B offers admin-level access. Doesn't seem to align with least privilege.
upvoted 0 times
...
Broderick
2 years ago
D mentions logWriter and metricWriter. Seems like it captures essential duties without excess permissions.
upvoted 0 times
...
Izetta
2 years ago
I think option D sounds logical. Least privilege means minimal necessary roles.
upvoted 0 times
...
Kimbery
2 years ago
Yeah, it's asking about specific roles in IAM. Not that easy.
upvoted 0 times
...
Broderick
2 years ago
This question is quite detailed. Makes me nervous.
upvoted 0 times
...

Save Cancel