Customers Passed Google Professional-Cloud-Security-Engineer Exam
Average Score In Real Professional-Cloud-Security-Engineer Exam
Questions came from our Professional-Cloud-Security-Engineer dumps.
Welcome to PassExamHub's comprehensive study guide for the Google Cloud Certified - Professional Cloud Security Engineer exam. Our Professional-Cloud-Security-Engineer dumps is designed to equip you with the knowledge and resources you need to confidently prepare for and succeed in the Professional-Cloud-Security-Engineer certification exam.
PassExamHub's Professional-Cloud-Security-Engineer dumps PDF is carefully crafted to provide you with a comprehensive and effective learning experience. Our study material includes:
In-depth Content: Our study guide covers all the key concepts, topics, and skills you need to master for the Professional-Cloud-Security-Engineer exam. Each topic is explained in a clear and concise manner, making it easy to understand even the most complex concepts.
Online Test Engine: Test your knowledge and build your confidence with a wide range of practice questions that simulate the actual exam format. Our test engine cover every exam objective and provide detailed explanations for both correct and incorrect answers.
Exam Strategies: Get valuable insights into exam-taking strategies, time management, and how to approach different types of questions.
Real-world Scenarios: Gain practical insights into applying your knowledge in real-world scenarios, ensuring you're well-prepared to tackle challenges in your professional career.
Expertise: Our Professional-Cloud-Security-Engineer exam questions answers are developed by experienced Google certified professionals who have a deep understanding of the exam objectives and industry best practices.
Comprehensive Coverage: We leave no stone unturned in covering every topic and skill that could appear on the Professional-Cloud-Security-Engineer exam, ensuring you're fully prepared.
Engaging Learning: Our content is presented in a user-friendly and engaging format, making your study sessions enjoyable and effective.
Proven Success: Countless students have used our study materials to achieve their Professional-Cloud-Security-Engineer certifications and advance their careers.
Start Your Journey Today!
Embark on your journey to Google Cloud Certified - Professional Cloud Security Engineer success with PassExamHub. Our study material is your trusted companion in preparing for the Professional-Cloud-Security-Engineer exam and unlocking exciting career opportunities.
QUESTION 233 You manage a mission-critical workload for your organization, which is in a highly regulated industry The workload uses Compute Engine VMs to analyze and process the sensitive data after it is uploaded to Cloud Storage from the endpomt computers. Your compliance team has detected that this workload does not meet the data protection requirements for sensitive dat a. You need to meet these requirements; Manage the data encryption key (DEK) outside the Google Cloud boundary. Maintain full control of encryption keys through a third-party provider. Encrypt the sensitive data before uploading it to Cloud Storage Decrypt the sensitive data during processing in the Compute Engine VMs Encrypt the sensitive data in memory while in use in the Compute Engine VMs What should you do? Choose 2 answers
A. Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets
B. Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.
C. Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage and decrypt the sensitive data after it is downloaded into your VMs
D. Create Confidential VMs to access the sensitive data.
E. Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.
Your organization wants to be compliant with the General Data Protection Regulation (GDPR) on Google Cloud You must implement data residency and operational sovereignty in the EU. What should you do? Choose 2 answers
A. Limit the physical location of a new resource with the Organization Policy Service resource locations constraint."
B. Use Cloud IDS to get east-west and north-south traffic visibility in the EU to monitor intra-VPC and
mter-VPC communication.
C. Limit Google personnel access based on predefined attributes such as their citizenship or geographic location by using Key Access Justifications
D. Use identity federation to limit access to Google Cloud resources from non-EU entities.
E. Use VPC Flow Logs to monitor intra-VPC and inter-VPC traffic in the EU.
Your company's users access data in a BigQuery table. You want to ensure they can only access the data during working hours. What should you do?
A. Assign a BigQuery Data Viewer role along with an 1AM condition that limits the access to specified working hours.
B. Configure Cloud Scheduler so that it triggers a Cloud Functions instance that modifies the organizational policy constraints for BigQuery during the specified working hours.
C. Assign a BigQuery Data Viewer role to a service account that adds and removes the users daily during the specified working hours
D. Run a gsuttl script that assigns a BigQuery Data Viewer role, and remove it only during the specified working hours.
You are developing a new application that uses exclusively Compute Engine VMs Once a day. this application will execute five different batch jobs Each of the batch jobs requires a dedicated set of permissions on Google Cloud resources outside of your application. You need to design a secure access concept for the batch jobs that adheres to the least-privilege principle What should you do?
A. 1. Create a general service account **g-sa" to execute the batch jobs. 2 Grant the permissions required to execute the batch jobs to g-sa. 3. Execute the batch jobs with the permissions granted to g-sa
B. 1. Create a general service account "g-sa" to orchestrate the batch jobs. 2. Create one service account per batch job Mb-sa-[1-5]," and grant only the permissions required to run the individual batch jobs to the service accounts. 3. Grant the Service Account Token Creator role to g-sa Use g-sa to obtain short-lived access tokens for b-sa-[1-5] and to execute the batch jobs with the permissions of b-sa-[1-5].
C. 1. Create a workload identity pool and configure workload identity pool providers for each batch job 2 Assign the workload identity user role to each of the identities configured in the providers. 3. Create one service account per batch job Mb-sa-[1-5]". and grant only the permissions required to run the individual batch jobs to the service accounts 4 Generate credential configuration files for each of the providers Use these files to execute the batch jobs with the permissions of b-sa-[1-5].
D. 1. Create a general service account "g-sa" to orchestrate the batch jobs. 2 Create one service account per batch job 'b-sa-[1-5)\ Grant only the permissions required to run the individual batch jobs to the service accounts and generate service account keys for each of these service accounts.3. Store the service account keys in Secret Manager. Grant g-sa access to Secret Manager and run the batch jobs with the permissions of b-sa-[1-5].
Employees at your company use their personal computers to access your organization s Google Cloud console. You need to ensure that users can only access the Google Cloud console from their corporate-issued devices and verify that they have a valid enterprise certificate What should you do?
A. Implement an Identity and Access Management (1AM) conditional policy to verify the device certificate
B. Implement a VPC firewall policy Activate packet inspection and create an allow rule to validate and verify the device certificate.
C. Implement an organization policy to verify the certificate from the access context.
D. Implement an Access Policy in BeyondCorp Enterprise to verify the device certificate Create an access binding with the access policy just created.
You manage a fleet of virtual machines (VMs) in your organization. You have encountered issues with lack of patching in many VMs. You need to automate regular patching in your VMs and view the patch management data across multiple projects. What should you do? Choose 2 answers
A. Deploy patches with VM Manager by using OS patch management
B. View patch management data in VM Manager by using OS patch management.
C. Deploy patches with Security Command Center by using Rapid Vulnerability Detection.
D. View patch management data in a Security Command Center dashboard.
E. View patch management data in Artifact Registry.
Your Google Cloud environment has one organization node, one folder named Apps." and several projects within that folder The organizational node enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the terramearth.com organization The "Apps" folder enforces the constraints/iam.allowedPolicyMemberDomains organization policy, which allows members from the flowlogistic.com organization. It also has the inheritFromParent: false property. You attempt to grant access to a project in the Apps folder to the user [email protected]. What is the result of your action and why?
A. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy must be defined on the current project to deactivate the constraint temporarily.
B. The action fails because a constraints/iam.allowedPolicyMemberDomains organization policy is in place and only members from the flowlogistic.com organization are allowed.
C. The action succeeds because members from both organizations, terramearth. com or flowlogistic.com, are allowed on projects in the "Apps" folder
D. The action succeeds and the new member is successfully added to the project's Identity and Access Management (1AM) policy because all policies are inherited by underlying folders and projects.
You control network traffic for a folder in your Google Cloud environment. Your folder includes multiple projects and Virtual Private Cloud (VPC) networks You want to enforce on the folder level that egress connections are limited only to IP range 10.58.5.0 and only from the VPC network dev-vpc." You want to minimize implementation and maintenance effort What should you do?
A. 1. Attach external IP addresses to the VMs in scope. 2. Configure a VPC Firewall rule in "dev-vpc" that allows egress connectivity to IP range 10.58.5.0 for all source addresses in this network
B. 1. Attach external IP addresses to the VMs in scope. 2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10 58.5.0 from network dev-vpc.
C. 1. Leave the network configuration of the VMs in scope unchanged. 2. Create a new project including a new VPC network "new-vpc." 3 Deploy a network appliance in "new-vpc" to filter access requests and only allow egress connections from -dev-vpc" to 10.58.5.0.
D. 1 Leave the network configuration of the VMs in scope unchanged 2 Enable Cloud NAT for dev-vpc" and restrict the target range in Cloud NAT to 10.58.5 0.
Your organization develops software involved in many open source projects and is concerned about software supply chain threats You need to deliver provenance for the build to demonstrate the software is untampered. What should you do?
A. 1- Generate Supply Chain Levels for Software Artifacts (SLSA) level 3 assurance by using Cloud Build. 2. View the build provenance in the Security insights side panel within the Google Cloud console.
B. 1. Review the software process. 2. Generate private and public key pairs and use Pretty Good Privacy (PGP) protocols to sign the output software artifacts together with a file containing the address of your enterprise and point of contact. 3. Publish the PGP signed attestation to your public web page.
C. 1, Publish the software code on GitHub as open source. 2. Establish a bug bounty program, and encourage the open source community to review, report, and fix the vulnerabilities.
D. 1. Hire an external auditor to review and provide provenance 2. Define the scope and conditions. 3. Get support from the Security department or representative. 4. Publish the attestation to your public web page.
You are migrating an application into the cloud The application will need to read data from a Cloud Storage bucket. Due to local regulatory requirements, you need to hold the key material used for encryption fully under your control and you require a valid rationale for accessing the key material. What should you do?
A. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys. Configure an 1AM deny policy for unauthorized groups
B. Encrypt the data in the Cloud Storage bucket by using Customer Managed Encryption Keys backed by a Cloud Hardware Security Module (HSM). Enable data access logs.
C. Generate a key in your on-premises environment and store it in a Hardware Security Module (HSM) that is managed on-premises Use this key as an external key in the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and set the external key system to reject unauthorized accesses.
D. Generate a key in your on-premises environment to encrypt the data before you upload the data to the Cloud Storage bucket Upload the key to the Cloud Key Management Service (KMS). Activate Key Access Justifications (KAJ) and have the external key system reject unauthorized accesses.
You are deploying regulated workloads on Google Cloud. The regulation has data residency and data access requirements. It also requires that support is provided from the same geographical location as where the data resides. What should you do?
A. Enable Access Transparency Logging.
B. Deploy resources only to regions permitted by data residency requirements
C. Use Data Access logging and Access Transparency logging to confirm that no users are accessing data from another region.
D. Deploy Assured Workloads.
You are setting up a new Cloud Storage bucket in your environment that is encrypted with a customer managed encryption key (CMEK). The CMEK is stored in Cloud Key Management Service (KMS). in project "pr j -a", and the Cloud Storage bucket will use project "prj-b". The key is backed by a Cloud Hardware Security Module (HSM) and resides in the region europe-west3. Your storage bucket will be located in the region europe-west1. When you create the bucket, you cannot access the key. and you need to troubleshoot why. What has caused the access issue?
A. A firewall rule prevents the key from being accessible.
B. Cloud HSM does not support Cloud Storage
C. The CMEK is in a different project than the Cloud Storage bucket
D. The CMEK is in a different region than the Cloud Storage bucket.
Your company conducts clinical trials and needs to analyze the results of a recent study that are stored in BigQuery. The interval when the medicine was taken contains start and stop dates The interval data is critical to the analysis, but specific dates may identify a particular batch and introduce bias You need to obfuscate the start and end dates for each row and preserve the interval data. What should you do?
A. Use bucketing to shift values to a predetermined date based on the initial value.
B. Extract the date using TimePartConfig from each date field and append a random month and year
C. Use date shifting with the context set to the unique ID of the test subject
D. Use the FFX mode of format preserving encryption (FPE) and maintain data consistency
Your organization previously stored files in Cloud Storage by using Google Managed Encryption Keys (GMEK). but has recently updated the internal policy to require Customer Managed Encryption Keys (CMEK). You need to re-encrypt the files quickly and efficiently with minimal cost. What should you do?
A. Encrypt the files locally, and then use gsutil to upload the files to a new bucket.
B. Copy the files to a new bucket with CMEK enabled in a secondary region
C. Reupload the files to the same Cloud Storage bucket specifying a key file by using gsutil.
D. Change the encryption type on the bucket to CMEK, and rewrite the objects
Your company is concerned about unauthorized parties gaming access to the Google Cloud environment by using a fake login page. You must implement a solution to protect against person-inthe- middle attacks. Which security measure should you use?
A. Text message or phone call code
B. Security key
C. Google Authenticator application
D. Google prompt
An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials What should you do?
A. Modify the VPC routing with the default route point to the default internet gateway Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance
B. Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application
C. Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials Modify the VPC firewall to allow access from IAP network range
D. Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application
A company is using Google Kubernetes Engine (GKE) with container images of a mission-critical application The company wants to scan the images for known security issues and securely share the report with the security team without exposing them outside Google Cloud. What should you do?
A. 1. Enable Container Threat Detection in the Security Command Center Premium tier. 2. Upgrade all clusters that are not on a supported version of GKE to the latest possible GKE version. 3. View and share the results from the Security Command Center
B. 1. Use an open source tool in Cloud Build to scan the images. 2. Upload reports to publicly accessible buckets in Cloud Storage by using gsutil 3. Share the scan report link with your security department.
C. 1. Enable vulnerability scanning in the Artifact Registry settings. 2. Use Cloud Build to build the images 3. Push the images to the Artifact Registry for automatic scanning. 4. View the reports in the Artifact Registry.
D. 1. Get a GitHub subscription. 2. Build the images in Cloud Build and store them in GitHub for automatic scanning 3. Download the report from GitHub and share with the Security Team
Your organization operates Virtual Machines (VMs) with only private IPs in the Virtual Private Cloud (VPC) with internet access through Cloud NAT Everyday, you must patch all VMs with critical OS updates and provide summary reports What should you do?
A. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM and execute OS specific update commands Configure the Cloud Scheduler job to update with critical patches daily for daily updates.
B. Ensure that VM Manager is installed and running on the VMs. In the OS patch management service. configure the patch jobs to update with critical patches daily.
C. Assign public IPs to VMs. Validate that the egress firewall rules allow any outgoing traffic Log in to each VM. and configure a daily cron job to enable for OS updates at night during low activity periods.
D. Copy the latest patches to the Cloud Storage bucket. Log in to each VM. download the patches from the bucket, and install them.
Your organization uses BigQuery to process highly sensitive, structured datasets. Following the "need to know" principle, you need to create the Identity and Access Management (IAM) design to meet the needs of these users: Business user must access curated reports. Data engineer: must administrate the data lifecycle in the platform. Security operator: must review user activity on the data platform. What should you do?
A. Configure data access log for BigQuery services, and grant Project Viewer role to security operators.
B. Generate a CSV data file based on the business user's needs, and send the data to their email addresses.
C. Create curated tables in a separate dataset and assign the role roles/bigquery.dataViewer.
D. Set row-based access control based on the "region" column, and filter the record from the United States for data engineers.
Your organization wants to be General Data Protection Regulation (GDPR) compliant You want to ensure that your DevOps teams can only create Google Cloud resources in the Europe regions. What should you do?
A. Use the org policy constraint "Restrict Resource Service Usage'* on your Google Cloud organization node.
B. Use Identity and Access Management (1AM) custom roles to ensure that your DevOps team can only create resources in the Europe regions
C. Use the org policy constraint Google Cloud Platform - Resource Location Restriction" on your Google Cloud organization node.
D. Use Identity-Aware Proxy (IAP) with Access Context Manager to restrict the location of Google Cloud resources.
Your organization wants full control of the keys used to encrypt data at rest in their Google Cloud environments. Keys must be generated and stored outside of Google and integrate with many Google Services including BigQuery. What should you do?
A. Create a Cloud Key Management Service (KMS) key with imported key material Wrap the key for protection during import. Import the key generated on a trusted system in Cloud KMS.
B. Create a KMS key that is stored on a Google managed FIPS 140-2 level 3 Hardware Security Module (HSM) Manage the Identity and Access Management (IAM) permissions settings, and set up the key rotation period.
C. Use Cloud External Key Management (EKM) that integrates with an external Hardware Security Module (HSM) system from supported vendors.
D. Use customer-supplied encryption keys (CSEK) with keys generated on trusted external systems Provide the raw CSEK as part of the API call.
Your customer has an on-premises Public Key Infrastructure (PKI) with a certificate authority (CA). You need to issue certificates for many HTTP load balancer frontends. The on-premises PKI should be minimally affected due to many manual processes, and the solution needs to scale. What should you do?
A. Use Certificate Manager to issue Google managed public certificates and configure it at HTTP the load balancers in your infrastructure as code (laC).
B. Use Certificate Manager to import certificates issued from on-premises PKI and for the frontends. Leverage the gcloud tool for importing
C. Use a subordinate CA in the Google Certificate Authority Service from the on-premises PKI system to issue certificates for the load balancers.
D. Use the web applications with PKCS12 certificates issued from subordinate CA based on OpenSSL on-premises Use the gcloud tool for importing. Use the External TCP/UDP Network load balancer instead of an external HTTP Load Balancer.
Your organization is using Active Directory and wants to configure Security Assertion Markup Language (SAML). You must set up and enforce single sign-on (SSO) for all users. What should you do?
A. 1. Manage SAML profile assignments. 2. Enable OpenID Connect (OIDC) in your Active Directory (AD) tenant. 3. Verify the domain.
B. 1. Create a new SAML profile. 2. Upload the X.509 certificate. 3. Enable the change password URL. 4. Configure Entity ID and ACS URL in your IdP.
C. 1- Create a new SAML profile. 2. Populate the sign-in and sign-out page URLs. 3. Upload the X.509 certificate. 4. Configure Entity ID and ACS URL in your IdP
D. 1. Configure prerequisites for OpenID Connect (OIDC) in your Active Directory (AD) tenant 2. Verify the AD domain. 3. Decide which users should use SAML. 4. Assign the pre-configured profile to the select organizational units (OUs) and groups.
Your company uses Google Cloud and has publicly exposed network assets. You want to discover the assets and perform a security audit on these assets by using a software tool in the least amount of time. What should you do?
A. Run a platform security scanner on all instances in the organization.
B. Notify Google about the pending audit and wait for confirmation before performing the scan.
C. Contact a Google approved security vendor to perform the audit.
D. Identify all external assets by using Cloud Asset Inventory and then run a network security scanner against them.
Your organization wants to protect all workloads that run on Compute Engine VM to ensure that the instances weren't compromised by boot-level or kernel-level malware. Also, you need to ensure that data in use on the VM cannot be read by the underlying host system by using a hardware-based solution. What should you do?
A. 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring 2 Create a Cloud Run function to check for the VM settings generate metrics and run the function regularly
B. 1 Activate Virtual Machine Threat Detection in Security Command Center (SCO Premium 2 Monitor the findings in SCC
C. * 1 Use Google Shielded VM including secure boot Virtual Trusted Platform Module (vTPM) and integrity monitoring 2 Activate Confidential Computing 3 Enforce these actions by using organization policies
D. 1 Use secure hardened images from the Google Cloud Marketplace 2 When deploying the images activate the Confidential Computing option 3 Enforce the use of the correct images and Confidential Computing by using organization policies
Your organization s record data exists in Cloud Storage. You must retain all record data for at least seven years This policy must be permanent. What should you do?
A. 1 Identify buckets with record data 2 Apply a retention policy and set it to retain for seven years 3 Monitor the bucket by using log-based alerts to ensure that no modifications to the retention policy occurs
B. 1 Identify buckets with record data 2 Apply a retention policy and set it to retain for seven years 3 Remove any Identity and Access Management (IAM) roles that contain the storage buckets update permission
C. 1 Identify buckets with record data 2 Enable the bucket policy only to ensure that data is retained 3 Enable bucket lock
D. * 1 Identify buckets with record data 2 Apply a retention policy and set it to retain for seven years 3 Enable bucket lock
Your organization has on-premises hosts that need to access Google Cloud APIs You must enforce private connectivity between these hosts minimize costs and optimize for operational efficiency What should you do?
A. Route all on-premises traffic to Google Cloud through an IPsec VPN tunnel to a VPC with Private Google Access enabled.
B. Set up VPC peering between the hosts on-premises and the VPC through the internet.
C. Enforce a security policy that mandates all applications to encrypt data with a Cloud Key Management. Service (KMS) key before you send it over the network.
D. Route all on-premises traffic to Google Cloud through a dedicated or Partner interconnect to a VPC with Private Google Access enabled.
You have numerous private virtual machines on Google Cloud. You occasionally need to manage the servers through Secure Socket Shell (SSH) from a remote location. You want to configure remote access to the servers in a manner that optimizes security and cost efficiency. What should you do?
A. Create a site-to-site VPN from your corporate network to Google Cloud.
B. Configure server instances with public IP addresses Create a firewall rule to only allow traffic from your corporate IPs.
C. Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range Grant the role of an IAP- secured Tunnel User to the administrators.
D. Create a jump host instance with public IP Manage the instances by connecting through the jump host.
Your application is deployed as a highly available cross-region solution behind a global external HTTP(S) load balancer. You notice significant spikes in traffic from multiple IP addresses but it is unknown whether the IPs are malicious. You are concerned about your application's availability. You want to limit traffic from these clients over a specified time interval. What should you do?
A. Configure a rate_based_ban action by using Google Cloud Armor and set the ban_duration_sec parameter to the specified time interval.
B. Configure a deny action by using Google Cloud Armor to deny the clients that issued too many requests over the specified time interval.
C. Configure a throttle action by using Google Cloud Armor to limit the number of requests per client over a specified time interval.
D. Configure a firewall rule in your VPC to throttle traffic from the identified IP addresses.
After completing a security vulnerability assessment, you learned that cloud administrators leave Google Cloud CLI sessions open for days. You need to reduce the risk of attackers who might exploit these open sessions by setting these sessions to the minimum duration. What should you do?
A. Set the session duration for the Google session control to one hour.
B. Set the reauthentication frequency (or the Google Cloud Session Control to one hour.
C. Set the organization policy constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension to one hour.
D. Set the organization policy constraint constraints/iam. serviceAccountKeyExpiryHours to one hour and inheritFromParent to false.
Your organization s customers must scan and upload the contract and their driver license into a web portal in Cloud Storage. You must remove all personally identifiable information (Pll) from files that are older than 12 months. Also you must archive the anonymized files for retention purposes. What should you do?
A. Set a time to live (TTL) of 12 months for the files in the Cloud Storage bucket that removes PH and moves the files to the archive storage class.
B. Create a Cloud Data Loss Prevention (DLP) inspection job that de-identifies Pll in files created more than 12 months ago and archives them to another Cloud Storage bucket. Delete the original files.
C. Schedule a Cloud Key Management Service (KMS) rotation period of 12 months for the encryption keys of the Cloud Storage files containing Pll to de-identify them Delete the original keys.
D. Configure the Autoclass feature of the Cloud Storage bucket to de-identify Pll Archive the files that are older than 12 months Delete the original fil
Your organization uses the top-tier folder to separate application environments (prod and dev). The developers need to see all application development audit logs but they are not permitted to review production logs. Your security team can review all logs in production and development environments. You must grant Identity and Access Management (1AM) roles at the right resource level tor the developers and security team while you ensure least privilege. What should you do?
A. 1 Grant logging, viewer rote to the security team at the organization resource level. 2 Grant logging, viewer rote to the developer team at the folder resource level that contains all the dev projects
B. 1 Grant logging. viewer rote to the security team at the organization resource level. 2 Grant logging. admin role to the developer team at the organization resource level.
C. 1 Grant logging.admin role to the security team at the organization resource level. 2 Grant logging. viewer rote to the developer team at the folder resource level that contains all the dev projects.
D. 1 Grant logging.admin role to the security team at the organization resource level. 2 Grant logging.admin role to the developer team at the organization resource level.