Exam Associate Cloud Engineer topic 1 question 111 discussion

C - https://cloud.google.com/iam/docs/roles-audit-logging#scenario_external_auditors

Correct Answer is (C): roles/viewer Read access to all resources. Get and list access for all resources. Using primitive roles The following table lists the primitive roles that you can grant to access a project, the description of what the role does, and the permissions bundled within that role. Avoid using primitive roles except when absolutely necessary. These roles are very powerful, and include a large number of permissions across all Google Cloud services. For more details on when you should use primitive roles, see the Identity and Access Management FAQ. IAM predefined roles are much more granular, and allow you to carefully manage the set of permissions that your users have access to. See Understanding Roles for a list of roles that can be granted at the project level. Creating custom roles can further increase the control you have over user permissions. https://cloud.google.com/resource-manager/docs/access-control-proj#using_primitive_roles

the key word is "organisation Policy called Domain Restricted sharing." his external google account wont work

CORRECT ANSWER IS C

Domain Restricted Sharing: Since your organization has the Domain Restricted Sharing policy enabled, sharing resources with accounts outside your Cloud Identity domain isn't allowed. Therefore, options A and B, which involve using the auditor's Google account, aren't feasible.

C, without doubt

D As per the documentation, Security Reviewer is more narrow role than the basic Viewer role: https://cloud.google.com/iam/docs/understanding-roles#iam.securityReviewer https://cloud.google.com/iam/docs/understanding-roles#viewer

It could be A, But C is more practical and you don't have to give the auditor extra 3 seconds of work, and yourself for deleting him after he finishes

The correct answer is C

The Resource Manager provides a domain restriction constraint that can be used in organization policies to limit resource sharing based on domain or organization resource. This constraint allows you to restrict the set of identities that are allowed to be used in Identity and Access Management policies. Organization policies can use this constraint to limit resource sharing to identities that belong to a particular organization resource. https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains

C is more correct

Correct Answer is (C):

Correct Answer is (C): Answer A is wrong because we can't use the the auditor Google account, security team has enabled the Organization Policy specifying only one Cloud Identity domain.

Answer is definitely C Please review this as it seems to be looked over in the other comments https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains (a google account that isn't part of the domain will not work unless you specifically allow exceptions at the project level and that was not defined in the answers)

i believe it is C

Correct answer is C. A is not correct. You can not ask someone to create a personal google account. He/she has no obligation to do so

From: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors "The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. During normal access, the auditors' Google group is only granted access to view the historic logs stored in BigQuery. If any anomalies are discovered, the group is granted permission to view the actual Cloud Logging Admin Activity logs via the dashboard's elevated access mode. At the end of each audit period, the group's access is then revoked."