GCP Professional Cloud Security Engineer Practice Question

Your company recently acquired two other businesses and now manages more than 120 Google Cloud projects under a single organization node. Security policy requires that:

All audit and network logs from every project must be retained for exactly seven years.
Only members of the central security team may view the raw log entries.
Security engineers need to run ad-hoc SQL queries against recent findings without moving data to another service.
Logging costs should be minimized and managed in one place. Which logging architecture best meets these requirements?

Create an organization-level aggregated sink that routes all logs to a dedicated log bucket in a central "security-logs" project, set the bucket's retention to seven years, enable Log Analytics on the bucket, and grant only the security team roles/logging.privateLogViewer access.
In every project, configure a sink that exports only Admin Activity logs to a Cloud Storage bucket with a seven-year lifecycle rule, then mount the bucket to the SIEM; give developers read-only access to the bucket.
Enable Data Access logs for all services and stream every log entry to Pub/Sub, forwarding the stream to the company's external SIEM that stores data for seven years; disable Cloud Logging storage to lower costs.
Create separate log buckets with seven-year retention in each project and configure folder-level aggregated sinks that copy the logs to a BigQuery dataset; grant the network engineering team roles/logging.privateLogViewer on every bucket.

Report Issue

Answer Description

An aggregated sink created at the organization level guarantees that all logs from every descendant folder and project are routed to a single destination. Sending that sink to a dedicated log bucket in a central "security-logs" project avoids per-project duplication and simplifies cost management. The bucket's retention policy can be set to 2,555 days (seven years). Enabling Log Analytics on the bucket provisions an in-place BigQuery interface, letting engineers run SQL queries without exporting the data. Granting the security group the roles/logging.privateLogViewer role on the bucket-and withholding broader roles from others-enforces least-privilege access to raw entries.

The other options fail to meet one or more requirements:

Exporting from each project (or relying solely on an external SIEM) duplicates configuration effort, increases likelihood of drift, and can forfeit Cloud Logging's built-in analytics.
Per-project buckets or folder-level sinks do not cover the entire hierarchy after future acquisitions and complicate retention management.
Allowing additional teams viewer roles violates the restriction that only the security team can read raw logs.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.