GCP Professional Cloud Security Engineer Practice Question

Your company is migrating a payment-processing platform to Google Cloud. PCI DSS requires evidence of configuration changes, records of every user access to card-holder data, and visibility into suspicious network activity. You must design a centralized, cost-effective logging architecture in which all required events from every project are exported to a single BigQuery dataset for long-term analysis. Which combination of Google Cloud log sources must you aggregate to meet the compliance requirements?

Admin Activity audit logs and System Event logs only
Admin Activity audit logs, Data Access audit logs, VPC Flow Logs, and Firewall Rules Logging
VPC Flow Logs, Cloud Trace spans, and Error Reporting logs
Data Access audit logs, Cloud Monitoring metrics, and Cloud NAT logs

Report Issue

Answer Description

To satisfy PCI DSS you need three categories of information:

Configuration or system changes ➜ captured by Admin Activity audit logs (always on).
Reads and writes of card-holder data ➜ captured by Data Access audit logs (must be explicitly enabled for most services).
Indicators of network threats ➜ captured by network telemetry such as VPC Flow Logs and Firewall Rules Logging. Exporting these four log sources from every project to an aggregated sink ensures complete visibility in a single BigQuery dataset. The other options omit at least one mandatory category (for example, they lack Data Access logs or network telemetry) or substitute logs that do not record the required events (Cloud Trace, Error Reporting, Cloud Monitoring metrics, Cloud NAT logs).

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.