GCP Professional Cloud Security Engineer Practice Question
Your organization has a folder called "Production" with hundreds of projects. A separate security project hosts a regional europe-west4 log bucket named "prod-audit-logs" protected by a customer-managed encryption key (CMEK). You must copy all Cloud Audit Logs (Admin Activity, Data Access, System Event, Policy Denied) from every current and future project under Production into that bucket. Project administrators must not be able to alter or delete the exported logs, and the solution should require minimal ongoing maintenance. What should you do?
Create an organization-level aggregated sink without filters that exports all logs to a CMEK-protected BigQuery dataset in europe-west4 and grant the dataset Data Editor role to the organization's Logs Router service account.
Configure a sink on the Production folder that exports logs to a Pub/Sub topic. Subscribe a Cloud Functions service that writes incoming messages into the "prod-audit-logs" bucket and grant its runtime service account the Storage Object Admin role.
In every Production project, create an individual sink that exports Cloud Audit Logs to a Cloud Storage bucket in the security project, enable object versioning for immutability, and rely on inherited IAM policies to restrict deletions.
Create a regional log bucket "prod-audit-logs" in the security project with CMEK. At the Production folder, create an aggregated sink with includeChildren=true and a filter matching cloudaudit.googleapis.com/* entries. Set the destination to logging.googleapis.com/projects/SECURITY_PROJECT/locations/europe-west4/buckets/prod-audit-logs and grant the folder's Logs Router service account the Logging Bucket Writer role on that bucket.
Create one aggregated log sink at the Production folder. Set includeChildren=true so the sink automatically captures logs from every existing and future descendant project. Use a filter that selects all cloudaudit.googleapis.com/* logs, and set the destination to logging.googleapis.com/projects/SECURITY_PROJECT/locations/europe-west4/buckets/prod-audit-logs. Grant the Production folder's Logs Router service account the Logging Bucket Writer (roles/logging.bucketWriter) IAM role on the destination bucket. This meets the requirements without creating per-project configuration or extra components.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an aggregated log sink in GCP?
Open an interactive chat with Bash
What is the purpose of the Logging Bucket Writer role in this context?
Open an interactive chat with Bash
How does using a Customer-Managed Encryption Key (CMEK) enhance log security?
Open an interactive chat with Bash
What is an aggregated log sink in GCP?
Open an interactive chat with Bash
What is the Logging Bucket Writer role in GCP?
Open an interactive chat with Bash
How does CMEK ensure security for log storage in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .