GCP Professional Cloud Security Engineer Practice Question
A security engineer notices repeated "error: PERMISSION_DENIED" responses in an application that calls Cloud Storage, but the project's Admin Activity and Data Access audit logs show no matching entries. To trace the root cause, the engineer wants to rely on Policy Denied audit logs. Which statement correctly describes how these logs behave in Google Cloud Logging and helps the engineer decide on next steps?
They are generated only when IAM denial conditions block access; Organization Policy or VPC Service Controls blocks are logged as Data Access events that must be enabled first.
They are always written to Cloud Logging for every Google Cloud service at no additional cost and cannot be disabled, so the engineer can immediately query them to see which security policy blocked the calls.
They are automatically promoted to Cloud Monitoring alert policies, so the engineer should check the Monitoring alert history instead of Cloud Logging.
They require per-service opt-in similar to Data Access audit logs; the engineer must enable Policy Denied logging for Cloud Storage before entries will appear.
Policy Denied audit logs are generated automatically whenever a request to a Google Cloud API is blocked by a security policy such as IAM denial, an Organization Policy constraint, Access Context Manager perimeter, or VPC Service Controls. Unlike Data Access audit logs-which must be explicitly enabled for most services-Policy Denied logs are always on for all Google Cloud services, cannot be disabled, and are written to Cloud Logging free of charge. Therefore, if the application calls are being rejected by a security policy, the engineer will find the relevant entries in the project's audit log bucket without needing to turn on additional logging or incur extra costs. Other statements are incorrect: Policy Denied logs are not limited to only IAM-denied calls, they are not subject to per-API opt-in, and they do not automatically trigger Cloud Monitoring alerts unless such alerts are explicitly configured.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between Policy Denied audit logs and Data Access audit logs?
Open an interactive chat with Bash
What types of security policies can trigger Policy Denied audit logs?
Open an interactive chat with Bash
How can Cloud Logging be used to query Policy Denied audit logs?
Open an interactive chat with Bash
What are Policy Denied audit logs in Google Cloud?
Open an interactive chat with Bash
How are Policy Denied audit logs different from Data Access audit logs?
Open an interactive chat with Bash
Can Policy Denied audit logs be used to configure Cloud Monitoring alerts?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .