Your security team mandates that all Admin Activity and Data Access audit logs from the production project be archived in a dedicated Cloud Storage bucket for at least seven years. You create a log sink called prod-audit-archive with the following settings:
Destination: gs://prod-audit-logs
Inclusion filter: logName:("cloudaudit.googleapis.com%2Factivity" OR "cloudaudit.googleapis.com%2Fdata_access")
After 24 hours no new objects appear in the bucket. What additional action is required to make sure the sink can deliver log entries to the bucket while preserving least-privilege access?
Grant the sink's writer identity the Storage role allowing it to create objects (for example, roles/storage.objectCreator) on the prod-audit-logs bucket.
Set a bucket lifecycle rule that prevents object deletion for seven years.
Recreate the sink using a Cloud Storage URI that ends with /** to match all object prefixes.
Enable Requester Pays on the prod-audit-logs bucket so Cloud Logging is billed for writes.
When you create a log sink, Cloud Logging automatically generates a unique service account known as the writer identity (for example, serviceAccount:[email protected] or serviceAccount:[email protected]). Cloud Storage will only accept objects written by principals that have the Storage roles necessary for upload. Until you grant the sink's writer identity the role roles/storage.objectCreator (or a broader role such as roles/storage.objectAdmin) on the destination bucket, Cloud Logging cannot write objects and the export stays empty. Enabling requester-pays, lifecycle policies, or uniform bucket-level access does not give write permissions, and recreating the sink does not change the need for IAM binding.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a log sink in Cloud Logging?
Open an interactive chat with Bash
What is the writer identity in Cloud Logging?
Open an interactive chat with Bash
What does roles/storage.objectCreator do in Cloud IAM?
Open an interactive chat with Bash
What is a log sink in GCP?
Open an interactive chat with Bash
What is the writer identity in a log sink?
Open an interactive chat with Bash
What is the least-privilege principle, and how does it apply to granting roles in GCP?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Ensuring successful operation of a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .