GCP Professional Cloud Security Engineer Practice Question

Your company wants to forward all Admin Activity and Data Access audit logs generated anywhere in its Google Cloud resource hierarchy (organization plus multiple folders and projects) to a centralized BigQuery dataset in a separate logging project. Several project-level engineers already maintain their own log sinks that export selected logs to Pub/Sub. You must meet the following requirements:

Forward every new and existing child resource's audit logs to the central dataset without requiring per-project configuration.
Ensure project-level sinks continue to function unchanged and are not disrupted or prevented from exporting their own copies.
Follow Google-recommended practices for granting permissions to the mechanism that writes into the BigQuery dataset.

Which approach should you take?

Enable Log Router at each folder level with an intercepting aggregated sink that exports all log types to the central dataset; remove permissions from project-level sinks to avoid duplicate exports.
Create a single aggregated sink at the organization level that routes logs to a Cloud Storage bucket, then build a scheduled Dataflow job to load the objects into BigQuery.
Create individual project-level log sinks in every existing project that export Admin Activity and Data Access logs to the central BigQuery dataset, and instruct the PMO to add this sink to future projects during onboarding.
Create a non-intercepting aggregated sink at the organization node with a filter resource.type=audited_resource AND log_id("cloudaudit.googleapis.com%2Factivity") OR log_id("cloudaudit.googleapis.com%2Fdata_access"); set the destination to the central BigQuery dataset and grant the sink's unique writer identity the BigQuery Data Editor role on that dataset.

Report Issue

Answer Description

Creating a non-intercepting aggregated sink at the organization level automatically brings in logs from all current and future folders and projects, satisfying the first requirement. Because it is non-intercepting, it does not block or alter any existing lower-level sinks, so project engineers' Pub/Sub exports continue to work, meeting the second requirement. Selecting BigQuery as the destination meets the central-storage goal; granting the sink's unique service account the BigQuery Data Editor role on the destination dataset follows Google's least-privilege guidance for allowing the sink to write while avoiding overly broad permissions. Creating individual project sinks, shared log buckets, or an intercepting sink would either fail to capture new projects automatically or would disable the existing project-level exports, violating the stated constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.