GCP Professional Cloud Architect Practice Question
Your organization operates multiple Google Cloud projects hosting GKE clusters, Cloud Run services, and several Compute Engine workloads. Compliance mandates that all Admin Activity and Data Access audit logs be retained for 24 months in a single location, and that security operations receive an alert within minutes whenever a project-level IAM role binding is modified. You want to keep operational effort and storage costs low. Which logging architecture best satisfies these requirements?
Create an aggregated sink that routes all projects' audit logs to a centralized Cloud Logging bucket with a 730-day retention policy; define a logs-based metric that matches iam.policy changes and an alerting policy on that metric.
Install the Ops Agent on every VM and configure it to publish logs to Pub/Sub; trigger a Dataflow job that archives messages in a Cloud Storage bucket with a 730-day lifecycle rule, and invoke Cloud Functions to detect role binding changes and raise alerts.
Configure a log sink in every project that writes audit logs to its own Cloud Storage Nearline bucket with a 730-day retention rule; rely on Cloud Audit Logs email notifications to inform security when IAM role bindings change.
Stream all audit logs from each project to a shared BigQuery dataset using export sinks; set partition expiration to 730 days and run scheduled queries that write findings to Cloud Monitoring for alerting.
A centralized log bucket with extended retention keeps all audit logs together and eliminates the need to manage exports or external storage services. Aggregated sinks can forward logs from every project to that bucket automatically. Custom retention on the bucket (730 days) fulfills the two-year requirement without paying egress or analysis fees incurred by BigQuery or Cloud Storage exports. A logs-based metric on the specific iam.googleapis.com activity streams directly into Cloud Monitoring, allowing near real-time alerting without additional pipelines. The other options either store logs in higher-cost analytics products, require complex custom processing, or scatter data across buckets, increasing both overhead and delay.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a log sink in Google Cloud?
Open an interactive chat with Bash
What is a logs-based metric in Google Cloud?
Open an interactive chat with Bash
How does Cloud Monitoring support alerting in near real-time?
Open an interactive chat with Bash
What is an aggregated sink in Cloud Logging?
Open an interactive chat with Bash
What is a logs-based metric in Cloud Monitoring?
Open an interactive chat with Bash
How does Cloud Logging ensure cost-effective storage?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Ensuring solution and operations excellence
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .