GCP Professional Cloud Security Engineer Practice Question
A healthcare insurer has more than 100 Google Cloud projects organized under a single organization node. To comply with regulations, it must retain all Admin Activity and Data Access audit logs for seven years and keep them readily searchable for incident investigations. The default Cloud Logging retention periods are insufficient, and the security team wants the simplest solution to meet the requirement with minimal ongoing maintenance. What should they do?
Extend the retention period of Cloud Logging in every project to seven years and rely on Log Explorer for querying when needed.
Configure one aggregated sink exporting only Admin Activity logs to Cloud Storage with a lifecycle rule that deletes objects after seven years; query the data using BigQuery's federated external tables when required.
Enable Admin Activity and Data Access logs in each project and export them to Pub/Sub, then run a Dataflow pipeline that writes the logs into Cloud SQL tables with a seven-year TTL.
Create a single aggregated Log Router sink at the organization level that routes all Cloud Audit Logs to a time-partitioned BigQuery dataset in a dedicated compliance project, and set the dataset's partition expiration to seven years.
An organization-level aggregated Log Router sink that exports every Cloud Audit Log entry (both Admin Activity and Data Access) to a centralized BigQuery dataset meets the seven-year retention and searchability requirements while requiring only a single configuration. BigQuery allows time-partitioned tables whose partition expiration can be set (for example, to 2 555 days ≈ 7 years) so the logs are kept for the mandated period and then automatically deleted.
Increasing Cloud Logging's built-in retention is impossible beyond its fixed limits (400 days for Admin Activity/System Event, 30 days for Data Access). Creating per-project sinks multiplies administrative overhead, and exporting to Pub/Sub and then into Cloud SQL adds unnecessary components and operational burden. Exporting only Admin Activity to Cloud Storage omits the required Data Access logs and does not provide the same interactive querying capability without additional loading steps.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an aggregated Log Router sink in Google Cloud?
Open an interactive chat with Bash
How do time-partitioned tables work in BigQuery?
Open an interactive chat with Bash
Why is BigQuery preferable for storing Cloud Audit Logs compared to other options?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .