All logs in your organization are aggregated into a centralized Google Cloud logging project for...

Google Cloud Logging supports Field-level access control, which allows you to hide specific sensitive fields within a log entry from certain users while still allowing them to see the rest of the log entry.5 This is achieved using Log Views and IAM.

According to Google Cloud Documentation (Configuring field-level access):

"Field-level access control allows you to restrict access to specific fields of LogEntry objects. You can define which fields are sensitive (such as principalEmail) and then grant the logging.fieldAccessor role to specific users or groups.6 Users without this role will see the log entry, but the sensitive fields will be redacted or omitted from their view."

Key Implementation Steps:

Identify Fields: Determine which paths in the JSON payload are sensitive.

Define Access: Use a Log View to define the scope of logs and apply field-level restrictions.7

Grant Permissions: Grant the standard logging.viewer role for general access and the logging.fieldAccessor role ONLY to the security team for the specific sensitive fields.

Why other options are incorrect:

B is incorrect: IAM conditions cannot natively parse and redact specific JSON fields within a log entry at the platform level; they are typically used for resource-level access.

C is incorrect: While excluding fields via a sink works, it is "all or nothing." If you exclude it at the sink, no one (including the security team) will see that data in the destination.

D is incorrect: This is a workaround that only works if the team uses BigQuery for logs. It doesn't solve the problem within the Cloud Logging Logs Explorer itself.