GCP Professional Cloud Security Engineer Practice Question
Your company stores sensitive healthcare records in a BigQuery dataset located in the europe-west1 multi-region. During a compliance audit, the security team is asked to demonstrate exactly which identities have executed SELECT queries against the dataset over the last 12 months. Admin Activity audit logs are already being exported to a central logging project, but the auditors state the evidence is insufficient. Which configuration change will most directly close this gap?
Enable Data Access audit logs for BigQuery at the required scope and update the centralized log sink to capture and retain those logs.
Increase Cloud Trace sampling to 100 percent so every BigQuery API call is traced and stored.
Activate Access Transparency for the organization to log any data access performed by Google personnel.
Turn on VPC Flow Logs for the subnet that serves BigQuery traffic and set retention to 400 days.
Admin Activity audit logs only record operations that modify the configuration of a Google Cloud service. To see who accessed or read data, you must enable Data Access audit logs for the relevant service. Enabling BigQuery Data Access logs at the organization, folder, or project level records read and write API calls such as jobs.query and tabledata.list, which include SQL SELECT activity. Extending the existing aggregated sink ensures the newly generated Data Access entries are archived for the required 12-month retention period. VPC Flow Logs capture network metadata, not application-layer identity information. Cloud Trace records latency samples and does not provide a full audit trail of data reads. Access Transparency only logs Google staff actions, not customer user queries. Therefore, enabling BigQuery Data Access audit logs and exporting them is the correct remediation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Data Access audit logs in GCP?
Open an interactive chat with Bash
How does a centralized log sink work in GCP?
Open an interactive chat with Bash
What is the difference between Admin Activity logs and Data Access logs?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Supporting compliance requirements
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .