GCP Professional Cloud Security Engineer Practice Question
Your company operates regulated workloads on several Google Cloud projects. Compliance policy requires an immutable audit trail of every time Google support engineers access your data or configurations. The security team already exports all Cloud Audit Logs to a centralized BigQuery dataset through an aggregated organization-level log sink. Which action should you take to satisfy the new requirement with minimal changes to the existing logging pipeline?
Create a Cloud Monitoring alert that scans Admin Activity logs for principalEmail values ending with @google.com and notifies compliance when detected.
Enable Access Transparency at the organization level and rely on the existing aggregated Log Router sink to export the new access_transparency log entries to BigQuery.
Enable Access Approval on every project so that any Google personnel access must be explicitly authorized, eliminating the need for additional logging.
Turn on Data Access logs for all services and export them; these logs automatically include provider actions alongside customer actions.
Access Transparency (AT) is the only Google Cloud feature that records and exposes provider-side administrative activity such as support engineer access. When AT is enabled for the organization, the platform automatically delivers additional log entries whose logName ends in "access_transparency" to Cloud Logging. Because the company already uses an aggregated organization-level log sink that routes all Cloud Audit Logs to BigQuery, the same sink can be extended (or left unchanged if it includes all log names) to capture the new AT log entries with no architectural change.
Access Approval blocks provider access until approval is granted, but it does not by itself create audit logs. Data Access logs and Admin Activity logs cover customer and service-account actions, not internal Google personnel events. Searching existing Admin Activity logs for @google.com principals would miss many internal workflows that are only surfaced through AT. Therefore, enabling Access Transparency and relying on the existing centralized sink is the correct approach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Access Transparency in Google Cloud?
Open an interactive chat with Bash
How is Access Approval different from Access Transparency?
Open an interactive chat with Bash
Why can't Data Access or Admin Activity logs achieve the same results as Access Transparency logs?
Open an interactive chat with Bash
What is Access Transparency in Google Cloud?
Open an interactive chat with Bash
How does Access Transparency differ from Access Approval in Google Cloud?
Open an interactive chat with Bash
What is a centralized log sink in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .