GCP Professional Cloud Architect Practice Question

Your organization operates dozens of Google Cloud projects in multiple folders. New regulatory rules mandate that all Admin Activity and Data Access audit logs must be kept for at least seven years, and once written they must be impossible for any administrator-even organization-level owners-to modify or delete. Security engineers also need read-only access to the archived logs from a central location. Which logging design best satisfies these immutability and access requirements while keeping ongoing maintenance effort low?

Stream all audit logs to Pub/Sub and trigger Cloud Functions that write the entries into a Cloud SQL instance configured with seven-year point-in-time recovery; allow administrators read access to the database.
Configure project-level log sinks that export Admin Activity and Data Access logs to BigQuery datasets in the same projects, set table expiration to seven years, and grant the security team BigQuery Data Viewer access.
Create an organization-level aggregated log sink that exports Admin Activity and Data Access logs to a Cloud Storage bucket in a dedicated logging project; enable a seven-year retention policy on the bucket, lock the policy, allow only the Cloud Logging service account to write, and grant administrators Storage Object Viewer access.
Extend the retention period of each project's _Required and _Default log buckets to 2,555 days and create an organization-level IAM deny policy that removes storage.objectDelete permissions from all users.

Report Issue

Answer Description

Exporting logs with an aggregated sink at the organization level guarantees that every current and future project's Admin Activity and Data Access logs are routed to a single destination, eliminating per-project configuration overhead. Writing the logs to a Cloud Storage bucket in a dedicated logging project separates log storage from production environments. Enforcing a seven-year bucket retention policy and then locking that policy turns the bucket into a write-once-read-many (WORM) store-after locking, no principal (including organization admins) can shorten the retention period or delete objects until it expires. Granting the Logging service account write permission while giving administrators only Storage Object Viewer keeps logs append-only and read-only.

The other options fail to guarantee immutability or require more operational overhead:

Exporting to BigQuery datasets in each project leaves logs under the control of project owners, who can still delete datasets or edit table data.
Extending retention on the default Logging buckets does not stop privileged users from changing or deleting the buckets later unless they are locked, which the default buckets do not support.
Storing logs in Cloud SQL through Pub/Sub and Cloud Functions creates mutable records; data can still be updated or deleted, and the extra components add complexity without providing WORM guarantees.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.