Crucial Exams

GCP Professional Cloud Security Engineer Practice Question

Your company wants to forward all Policy Denied audit logs from every project in its organization to an external SIEM that consumes messages from a Pub/Sub subscription. As a Cloud Security Engineer, what should you do to set up a scalable, tamper-resistant export while minimizing configuration overhead across projects?

  • Configure an organization-level aggregated sink that exports the logs to a BigQuery dataset, then schedule a Dataflow job to stream the dataset into a Pub/Sub topic consumed by the SIEM.

  • Enable Policy Denied audit logs and VPC Flow Logs in each project and export them with a bucket-level sink to a Cloud Storage bucket that has object versioning enabled.

  • Create an organization-level aggregated log sink filtered for Policy Denied audit logs, set the destination to a Pub/Sub topic in a central security project, grant the sink's service account the Pub/Sub Publisher role on that topic, and allow the SIEM to create its own subscription.

  • Enable Policy Denied audit logs in every project and configure a separate project-level sink in each one that exports to a local Pub/Sub topic, then share all topics with the SIEM.

GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot