GCP Professional Cloud Security Engineer Practice Question

Your organization aggregates Admin Activity audit logs from all projects into a centralized Logging bucket at the organization level. Security policy requires that a paging alert fire only when a new user-managed service account key is created, regardless of project. Which single log-based alert filter will meet this requirement most precisely while avoiding false positives from other IAM changes?

logName="projects/*/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.methodName="google.iam.admin.v1.SetIamPolicy" AND protoPayload.serviceName="iam.googleapis.com"
resource.type="service_account" AND severity>=ERROR
logName="organizations/123456789/logs/cloudaudit.googleapis.com%2Fdata_access" AND protoPayload.methodName="google.iam.admin.v1.DownloadServiceAccountKey"
logName="organizations/123456789/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="iam.googleapis.com" AND protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"

Report Issue

Answer Description

Admin Activity audit logs from the IAM API are written under the log name cloudaudit.googleapis.com/activity. When any user or service creates a user-managed key, the IAM Admin API method recorded in the log entry is google.iam.admin.v1.CreateServiceAccountKey. Scoping the alert filter to:

the centralized Admin Activity log (logName="organizations/…/logs/cloudaudit.googleapis.com%2Factivity"),
the IAM service (protoPayload.serviceName="iam.googleapis.com"), and
the exact method that creates a key (protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey") ensures that the alert triggers only for key-creation events and not for other IAM changes.
The other filters are incorrect because:
The second option watches for any log entry with severity ERROR on the service_account resource type; it would miss successful key creations and generate noise from unrelated errors.
The third option targets Data Access logs and the DownloadServiceAccountKey method, which detects key downloads, not creation, and would require enabling Data Access logs (often disabled by default).
The fourth option uses a wildcard project-level log name and the SetIamPolicy method, catching many unrelated IAM changes and generating false positives, while missing key creation events.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.