GCP Professional Cloud Architect Practice Question

Your company must satisfy a new regulatory mandate: every Google Cloud project's Admin Activity and Data Access audit logs must be preserved in an immutable (write-once-read-many) store for at least seven years. Security investigators also need near-real-time SQL access to the most recent 12 months of those logs. You are designing the logging architecture for hundreds of existing and future projects and want to minimize long-term operational effort. Which approach best meets all requirements?

Configure per-project log sinks that publish Admin Activity and Data Access logs to Pub/Sub, stream them into Cloud Bigtable, and schedule a Dataflow job to delete records older than seven years while investigators query the data through Bigtable.
Create two aggregated organization-level log sinks with identical filters: route one sink to a CMEK-encrypted BigQuery dataset in a dedicated security project for 12-month interactive queries, and route the other sink to a Cloud Storage bucket in the same project with Object Versioning and a seven-year Bucket Lock; grant write access only to the Log Router service account.
Enable a 2555-day custom retention policy on every project's default logging bucket and give security investigators the Logging Private Logs Viewer role so they can query required data in Logs Explorer.
Export all audit logs to an on-premises Splunk cluster via Pub/Sub, retain the data there for seven years, and allow investigators to run searches through Splunk's interface.

Report Issue

Answer Description

Configuring two organization-level aggregated log sinks with identical filters captures Admin Activity and Data Access logs from every current and future project without extra per-project setup. One sink routes the log stream to a CMEK-encrypted BigQuery dataset, where partition expiration or a restricted view limits investigators to the latest 12 months while still enabling SQL queries. The second sink routes the same stream to a Cloud Storage bucket that has Object Versioning enabled and Bucket Lock set in compliance mode with a seven-year retention period, ensuring write-once-read-many immutability that even project owners cannot override. Because Cloud Logging's Log Router writes directly to both managed destinations, no custom code or additional infrastructure is required, and IAM on the dataset and bucket can be limited to the Log Router service account. The alternative options either fail to ensure true immutability, lack native SQL querying, or introduce significant operational overhead.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.