Auditors visit your teams every 12 months and ask to review all the Google Cloud Identity and Access Management (Cloud IAM) policy changes in the previous 12 months.
You want to streamline and expedite the analysis and audit process.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The best option for streamlining and expediting the analysis and audit process of Google Cloud Identity and Access Management (Cloud IAM) policy changes over the previous 12 months is to enable Google Cloud Storage (GCS) log export to audit logs into a GCS bucket and delegate access to the bucket. Option D is the correct answer.
Here's why:
Google Cloud IAM is a critical component of managing cloud resources on the Google Cloud Platform. It enables you to control access to resources in your cloud projects and manage the permissions of users, service accounts, and Google groups. It is important to track any changes made to Cloud IAM policies to ensure that access to resources is granted or revoked appropriately.
Option A: Create custom Google Stackdriver alerts and send them to the auditor Creating custom Google Stackdriver alerts for Cloud IAM policy changes could help notify the auditor of any changes. However, this option does not provide the auditor with direct access to the data they need to review the policy changes. It only notifies them when there is a change, which means that they will need to request access to the relevant data before conducting an audit. This could potentially slow down the audit process and is not the most efficient option.
Option B: Enable Logging export to Google BigQuery and use ACLs and views to scope the data shared with the auditor Enabling Logging export to Google BigQuery is a good option to store and manage the audit logs. It provides an efficient way to search, analyze and visualize the logs. However, this option requires additional work to set up the ACLs and views to limit an auditor's view of the data. This could be time-consuming and complex to implement. Furthermore, BigQuery may not be the ideal tool for auditors who are only interested in reviewing Cloud IAM policy changes.
Option C: Use cloud functions to transfer log entries to Google Cloud SQL and use ACLs and views to limit an auditor's view Using Cloud Functions to transfer log entries to Google Cloud SQL is an interesting option as it could provide a relational database solution for storing audit logs. However, as with option B, it requires additional work to set up the ACLs and views to limit the auditor's view of the data. This option is also more complex and potentially more expensive to set up and maintain than option D.
Option D: Enable Google Cloud Storage (GCS) log export to audit logs into a GCS bucket and delegate access to the bucket Enabling GCS log export to audit logs into a GCS bucket is the most straightforward and efficient option for this scenario. It provides auditors with direct access to the audit logs in a simple and cost-effective way. Additionally, GCS buckets offer robust security features that can be used to control access to the audit logs. Delegating access to the bucket can be done using IAM roles and permissions, which simplifies the setup process. Overall, this option is the most practical and efficient solution to streamline and expedite the analysis and audit process.