GCP Professional Cloud Security Engineer Practice Question
Your company runs several GKE clusters and Compute Engine VMs in multiple projects. The security team must detect potential data exfiltration by analyzing egress flow volumes. They want to collect 100 % of VPC Flow Logs from every subnet in every project, centralize them in a single BigQuery dataset with two-year retention, and avoid configuration drift as new projects and subnets are created. As the security engineer, what should you do?
Turn on firewall rule logging for every VPC and export the logs to Cloud Storage with a two-year lifecycle rule, then query the bucket from BigQuery using external tables.
Enable Data Access audit logs in every project and create individual project-level log sinks that export the logs to separate BigQuery datasets with two-year table expiration.
Enable Packet Mirroring on every subnet and forward mirrored traffic to Cloud IDS; export Cloud IDS threat findings to a BigQuery dataset that retains data for two years.
Create an organization-level aggregated log sink with the filter resource.type=gce_subnetwork AND logName:"/vpc_flows" that exports to a centralized BigQuery dataset configured for two-year table expiration, and enforce the constraints/compute.requireVPCFlowLogs organization policy to automatically enable Flow Logs on all subnets.
An organization-level aggregated log sink can export all logs that match its filter from every descendant project and folder. By specifying a filter such as resource.type="gce_subnetwork" AND logName:"/vpc_flows", the sink captures every VPC Flow Log entry and routes it to a single BigQuery dataset where a table expiration policy ensures two-year retention. Enforcing the constraints/compute.requireVPCFlowLogs organization policy guarantees that VPC Flow Logs are automatically enabled for any new subnet in any project, preventing configuration drift. The other approaches either gather the wrong log type, require per-project configuration, miss future subnets, or store data outside BigQuery, so they do not meet all stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are VPC Flow Logs and what data do they capture?
Open an interactive chat with Bash
What is the purpose of an organization-level aggregated log sink in Google Cloud?
Open an interactive chat with Bash
How does the `constraints/compute.requireVPCFlowLogs` organization policy prevent configuration drift?
Open an interactive chat with Bash
What are VPC Flow Logs?
Open an interactive chat with Bash
What is an organization-level aggregated log sink?
Open an interactive chat with Bash
How does the constraints/compute.requireVPCFlowLogs policy work?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .