GCP Professional Cloud Security Engineer Practice Question

Your organization aggregates all Admin Activity and Policy Denied Cloud Audit Logs from every project into an organization-level log bucket called sec-audit. Security operations must be paged whenever a new Policy Denied entry whose status.message contains IAM_POLICY_DENIED is written to that bucket. They want to minimize additional Monitoring time-series and ensure only one notification is sent if several matching entries arrive within the same 30-minute window. Which approach best satisfies these requirements?

Create an organization-level counter logs-based metric with the same filter, then build a Cloud Monitoring alert policy that fires when the metric's value exceeds zero during a 5-minute window.
Define an organization-level logs-based alert that uses an advanced filter on logName:"cloudaudit.googleapis.com%2Fpolicy" AND status.message="IAM_POLICY_DENIED"; set the alert's notification rate limit to 30 minutes and attach the PagerDuty notification channel.
Enable Event Threat Detection in Security Command Center and configure finding notifications to send PagerDuty incidents when any access-denied threat is detected.
Add a log sink that exports the IAM_POLICY_DENIED entries to Pub/Sub; trigger a Cloud Function that calls the Cloud Monitoring Events API to open an incident and uses Cloud Tasks to deduplicate alerts for 30 minutes.

Report Issue

Answer Description

A logs-based alert defined at the organization level evaluates the incoming log stream directly with an advanced filter, so it fires as soon as a matching Policy Denied entry is ingested. Because logs-based alerts don't create or store custom metrics, they avoid the cardinality and cost overhead that counter metrics introduce, meeting the "minimize additional time-series" requirement. The alert policy itself lets you specify a 30-minute notification rate limit and attach the existing PagerDuty notification channel.

Creating a counter logs-based metric and separate alert would meet the functional need but contradicts the requirement to avoid generating extra Monitoring time-series. Exporting logs to Pub/Sub and invoking a Cloud Function adds unnecessary operational complexity and still requires custom code to suppress duplicates. Relying on Event Threat Detection findings does not guarantee coverage for every IAM_POLICY_DENIED message and would not directly leverage Cloud Monitoring alert policies.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.