GCP Professional Cloud Security Engineer Practice Question

Your company has hundreds of Google Cloud projects under a single organization. Security operations requires that every Admin Activity audit log entry and every VPC firewall rules log entry from any project be stored in a central BigQuery dataset for long-term analysis. Duplicate log entries must be avoided, and project owners must not be able to disable or change the export configuration. Which solution meets these requirements?

Create a non-intercepting aggregated log sink at the organization level with includeChildren=true and a filter that selects Admin Activity and firewall rule logs, routing them to a BigQuery dataset in a central logging project. Grant the organization-level Cloud Logging service account permission to write to the dataset.
Create an intercepting aggregated sink on the folder that contains most projects, export all logs to BigQuery, and deduplicate events in queries when necessary.
Create identical log sinks in every project that export all logs to the same BigQuery dataset and restrict project owners from editing their sinks through organization-level IAM policies.
Enable Data Access audit logs organization-wide, create a global Pub/Sub log sink, stream all logs to Cloud Dataflow, and have Dataflow write only Admin Activity and firewall logs to BigQuery after removing duplicates.

Report Issue

Answer Description

An aggregated log sink created at the organization level can export log entries from all descendant folders and projects when the includeChildren flag is set. Because it is defined at the organization level, project or folder administrators cannot modify or delete it. Choosing the default non-intercepting mode ensures that log entries already captured by sinks lower in the hierarchy are not copied again, preventing duplication. By setting a filter that selects only logName:("cloudaudit.googleapis.com%2Factivity") OR resource.type="gce_firewall_rule" and pointing the sink to a BigQuery dataset in a dedicated logging project, the required logs are collected centrally with no duplicates. The other options fail to meet one or more constraints: creating separate per-project sinks relies on project owners and can result in inconsistent configuration; placing an intercepting sink at a folder scope misses projects outside the folder and can create duplicates; using Pub/Sub and Dataflow adds unnecessary complexity and still allows project owners to remove their own sinks.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.