Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Google Exam Professional Cloud DevOps Engineer Topic 1 Question 73 Discussion

Actual exam question for Google's Professional Cloud DevOps Engineer exam
Question #: 73
Topic #: 1
[All Professional Cloud DevOps Engineer Questions]

You have deployed a fleet Of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: A

The correct answer is D. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

According to the Google Cloud documentation, the Compute Engine service account is a Google-managed service account that is automatically created when you enable the Compute Engine API1. This service account is used by default to run your Compute Engine instances and access other Google Cloud services on your behalf1. To ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring, you need to grant the following IAM roles to the Compute Engine service account23:

The logging.logWriter role allows the service account to write log entries to Cloud Logging4.

The monitoring.metricWriter role allows the service account to write custom metrics to Cloud Monitoring5.

These roles grant the minimum permissions that are needed for logging and monitoring, following the principle of least privilege. The other roles are either unnecessary or too broad for this purpose. For example, the logging.editor role grants permissions to create and update logs, log sinks, and log exclusions, which are not required for writing log entries6. The logging.admin role grants permissions to delete logs, log sinks, and log exclusions, which are not required for writing log entries and may pose a security risk if misused. The monitoring.editor role grants permissions to create and update alerting policies, uptime checks, notification channels, dashboards, and groups, which are not required for writing custom metrics.


Service accounts, Service accounts. Setting up Stackdriver Logging for Compute Engine, Setting up Stackdriver Logging for Compute Engine. Setting up Stackdriver Monitoring for Compute Engine, Setting up Stackdriver Monitoring for Compute Engine. Predefined roles, Predefined roles. Predefined roles, Predefined roles. Predefined roles, Predefined roles. [Predefined roles], Predefined roles. [Predefined roles], Predefined roles.

Contribute your Thoughts:

Charisse
4 months ago
Option D is the clear winner here. Gotta love it when the right choice is also the most secure one!
upvoted 0 times
Irma
3 months ago
I agree, option D is the best for ensuring monitoring metrics and logs are visible while following the principle of least privilege.
upvoted 0 times
...
Loreen
3 months ago
Option D is definitely the way to go. It's the most secure choice.
upvoted 0 times
...
...
Tennie
4 months ago
Hmm, I wonder if the exam writers are trying to trick us with these options. It's almost too easy to spot the right answer.
upvoted 0 times
Annice
3 months ago
D) Grant the logging. logWriter and monitoring. metricWriter roles to the Compute Engine service accounts.
upvoted 0 times
...
Brunilda
3 months ago
I think that's the correct answer. It follows the principle of least privilege.
upvoted 0 times
...
Cammy
4 months ago
A) Grant the logging.editor and monitoring.metricwriter roles to the Compute Engine service accounts.
upvoted 0 times
...
...
Filiberto
4 months ago
D is the way to go. Why would we want to give more permissions than necessary? That's just asking for trouble.
upvoted 0 times
Jodi
3 months ago
I always make sure to grant the least amount of permissions possible to avoid any potential security breaches.
upvoted 0 times
...
Clay
3 months ago
I think D is the most secure option as well. It's important to only grant the permissions needed for the task.
upvoted 0 times
...
Amina
4 months ago
Exactly, giving more permissions than necessary can lead to security risks.
upvoted 0 times
...
Magnolia
4 months ago
I agree, D is the best option. We should always follow the principle of least privilege.
upvoted 0 times
...
...
Kris
4 months ago
I'm not sure, maybe we should also consider the logging.logwriter role for more granular access.
upvoted 0 times
...
Jose
5 months ago
I agree with Yuonne, those roles provide the necessary access for monitoring metrics and logs.
upvoted 0 times
...
Yuonne
5 months ago
I think we should grant the logging.editor and monitoring.metricwriter roles.
upvoted 0 times
...
Nana
5 months ago
I agree with Vernice. Granting the logging.logWriter and monitoring.metricWriter roles is the best way to follow the principle of least privilege.
upvoted 0 times
...
Vernice
5 months ago
Option D seems the most appropriate, as it grants the least privileged roles for logging and monitoring access.
upvoted 0 times
Jade
3 months ago
Agreed, it's important to only grant the necessary roles for monitoring and logging access.
upvoted 0 times
...
Dottie
3 months ago
That sounds good, it follows the principle of least privilege.
upvoted 0 times
...
Ona
4 months ago
I think we should grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.
upvoted 0 times
...
Fannie
4 months ago
Agreed, option D is the best choice for ensuring security.
upvoted 0 times
...
Torie
4 months ago
Yeah, that makes sense. It follows the principle of least privilege.
upvoted 0 times
...
Rose
4 months ago
I agree, it's important to follow the principle of least privilege when granting access to sensitive data.
upvoted 0 times
...
Kenda
4 months ago
I think we should grant the logging.logWriter and monitoring.metricWriter roles.
upvoted 0 times
...
Patti
4 months ago
Option D seems the most appropriate, as it grants the least privileged roles for logging and monitoring access.
upvoted 0 times
...
...

Save Cancel