GCP Professional Cloud Architect Practice Question

Your organization must retain a tamper-proof record of every IAM policy change and every successful read of objects stored in the prod-sec project for at least seven years to satisfy an upcoming PCI audit. Today, an organization-level log sink already exports only Admin Activity logs from all projects to a BigQuery dataset. Which design will meet the compliance requirement with the least additional cost and guarantee log immutability?

Create individual log sinks on each prod-sec Cloud Storage bucket that keep Data Access logs in Cloud Logging's default 30-day retention; instruct auditors to download logs monthly before expiration.
Stream all organization Audit Logs through Pub/Sub to an external SIEM that supports write-once-read-many storage, and disable the existing BigQuery sink to avoid duplicate exports.
Enable Cloud Storage Data Access logs for the prod-sec project, update the organization-level sink to include those logs, and route the sink to a dedicated Cloud Storage bucket that has Object Versioning plus a 7-year retention policy locked with Bucket Lock; grant auditors Storage Object Viewer on the bucket.
Enable Cloud Storage Data Access logs for the prod-sec project and create a new project-level sink that exports all Admin Activity and Data Access logs to a BigQuery dataset encrypted with CMEK and configured with a 7-year table expiration.

Report Issue

Answer Description

Admin Activity logs are already collected automatically, but Cloud Storage object reads are recorded in Data Access logs, which are disabled by default.
The simplest, lowest-cost way to meet the new requirement is:

Enable Data Access logs for Cloud Storage in the prod-sec project so that each storage.objects.get event is written to Cloud Logging.
Extend the existing organization-level sink with an inclusion filter that selects both Admin Activity logs and the newly enabled Cloud Storage Data Access logs for the prod-sec project.
Redirect the sink's destination to a dedicated Cloud Storage bucket that has Object Versioning enabled, a 7-year retention policy configured, and the retention locked (Bucket Lock). After the lock is in place, no principal-including project owners-can delete or overwrite the objects before the retention period ends, satisfying the immutability requirement.
Grant auditors read-only access (Storage Object Viewer) to the bucket so they can query or export the logs.

BigQuery does not provide write-once-read-many (WORM) guarantees; authorized users could still delete or overwrite tables, so exporting to BigQuery alone cannot satisfy immutability. Per-bucket or Pub/Sub-based exports would add complexity or higher ongoing costs without offering stronger immutability guarantees. Therefore, updating the existing sink and using a locked Cloud Storage bucket is the best choice.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.