GCP Professional Cloud Security Engineer Practice Question
A security team must gain near-real-time insight into who is reading objects stored in a sensitive Cloud Storage bucket. The organization already collects Cloud Audit Logs for Admin Activity but no Data Access records appear when engineers download objects from this bucket. As the Cloud Security Engineer, you need to start logging these read events and make them queryable in BigQuery while following the principle of least privilege and minimizing operational overhead. What should you do?
Create a Cloud Monitoring metric based on the metric type logging.googleapis.com/user/data_access and configure an alerting policy that writes matching entries to BigQuery via Pub/Sub.
Enable the Storage 'Read' Data Access audit logs on the project and configure a project-level log sink that exports entries with logName="cloudaudit.googleapis.com/data_access" AND resource.type="gcs_bucket" to a BigQuery dataset in a centralized logging project. Grant the security analysts BigQuery Data Viewer on that dataset.
Attach the primitive roles/owner role to the security team so they can view all audit logs directly in Logs Explorer; no additional configuration is required because Data Access logs are always on for Cloud Storage.
Grant the security analysts the roles/logging.privateLogViewer role on the source project and create a sink that exports existing Admin Activity logs to BigQuery; Data Access reads will appear automatically once the sink is active.
By default, only Admin Activity and System Event audit logs are always enabled. Data Access audit logs-such as storage.objects.get entries that capture object-level reads in Cloud Storage-are disabled to avoid excessive cost and volume. To collect them, you must explicitly enable the 'Read' Data Access audit log type for Cloud Storage at the appropriate resource level (project or organization). After the additional log type is enabled, you can create a log sink whose filter selects the Cloud Storage Data Access logs and exports them to a BigQuery dataset. Granting Security Admin (or Logging Configuration Writer) on the project lets you create and manage the sink, while giving the security analysts BigQuery Data Viewer access to the destination dataset follows least-privilege principles. Simply adjusting IAM roles or enabling Cloud Monitoring alone will not generate the missing Data Access audit logs, and exporting Admin Activity logs will not include object read events.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Data Access audit log in GCP?
Open an interactive chat with Bash
How does a log sink work in GCP?
Open an interactive chat with Bash
Why is the principle of least privilege important in log access management?
Open an interactive chat with Bash
What are Cloud Audit Logs?
Open an interactive chat with Bash
Why must Data Access audit logs be manually enabled?
Open an interactive chat with Bash
What is a log sink and how does it work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .