You manage an application that is writing logs to Stackdriver Logging. You need to give some team members the ability to export logs. What should you do?
A. Grant the team members the IAM role of logging.configWriter on Cloud IAM.
B. Configure Access Context Manager to allow only these members to export logs.
C. Create and grant a custom IAM role with the permissions logging.sinks.list and logging.sink.get.
D. Create an Organizational Policy in Cloud IAM to allow only these members to create log exports.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
C
Explanation
A. Grant the team members the IAM role of logging.configWriter on Cloud IAM.
(Provides permissions to read and write the configurations of logs-based metrics and sinks for exporting logs. Too broad.)
B. Configure Access Context Manager to allow only these members to export logs.
(Ruled out.)
C. Create and grant a custom IAM role with the permissions logging.sinks.list and logging.sink.get.
(Follow the least privileged principle.)
D. Create an Organizational Policy in Cloud IAM to allow only these members to create log exports.
(Ruled out.)