GCP Professional Cloud Architect Practice Question

An online payment processor is migrating workloads to Google Cloud. To satisfy PCI DSS requirements and an internal mandate to keep all Admin Activity and Data Access logs for seven years, the security team must guarantee that the logs cannot be modified or deleted by platform administrators while keeping storage costs low. Which design best meets these requirements?

Create an aggregated organization-level log sink that routes all Admin Activity and Data Access logs to a Cloud Storage bucket in a dedicated logs project. Enable uniform bucket-level access, configure a seven-year retention policy, lock the bucket (Bucket Lock), and grant only the Logs Router service account the objectCreator role.
Export all Audit Logs to a BigQuery dataset in the same project, set table expiration to seven years, and restrict modifications by granting the audit team the BigQuery Data Viewer role only.
Rely on Cloud Logging's default 400-day retention and grant the audit team the Logs Viewer role on each project; when older records are needed, export them on demand to BigQuery.
Stream Audit Logs to Pub/Sub and forward them over VPN to the company's on-premises SIEM, then configure Cloud Logging to delete local copies after 30 days to reduce costs.

Report Issue

Answer Description

Exporting Audit Logs to a Cloud Storage bucket that is owned by a dedicated logs-archive project and protected with Bucket Lock provides the strongest guarantee that no administrator can alter or delete the records. Bucket Lock enforces an object-level retention policy that is legally holdable and cannot be removed once locked. Granting the Logs Router service account the objectCreator role lets it write new objects but not overwrite or delete existing ones, and using uniform bucket-level access simplifies IAM management. Cloud Storage Archive/Coldline classes can be selected to keep long-term costs low.

The default Cloud Logging retention (400 days for Admin Activity and 30 days for Data Access) is far shorter than seven years. BigQuery datasets do not provide true immutability-dataset or table owners can still delete or overwrite records-even if expiration is set to seven years. Forwarding logs to an on-premises SIEM and deleting them from Cloud Logging after 30 days breaks the seven-year requirement and puts integrity outside Google Cloud's managed controls. Therefore, the bucket-lock approach in a separate project is the only option that satisfies all retention, immutability, and cost objectives.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.