GCP Professional Cloud Security Engineer Practice Question
Your organization has an org-level aggregated Cloud Logging sink exporting all audit logs to BigQuery. After a breach, you confirm that several objects were downloaded from the sensitive Cloud Storage bucket in project "prod-secure." The dataset shows recent Admin Activity entries (such as bucket IAM changes) but no records identifying who read the objects. No log exclusions exist, and the sink filter already includes all logs. What most likely explains the missing read events, and what single configuration change will ensure they are logged going forward?
Cloud Storage records object downloads only in legacy bucket access logs; you need to enable Access Logs at the bucket level to capture future reads.
Data Access audit logs for Cloud Storage are disabled by default; you must explicitly enable the DATA_READ (and optionally DATA_WRITE) audit log type for the prod-secure project or higher so future object downloads are logged and exported.
Organization-level aggregated sinks cannot export Data Access audit logs; you must create separate project-level sinks in prod-secure to forward these events.
Object download events are written to VPC Flow Logs, which were never enabled for the subnet where the bucket's VM clients reside; turning on flow logs will provide the missing information.
Cloud Storage object downloads are logged only in Data Access audit logs. Because these logs are disabled by default for most Google Cloud services (including Cloud Storage), no object-read entries were ever generated, so the sink had nothing to export. Explicitly enabling the DATA_READ (and, if needed, DATA_WRITE) audit log type for Cloud Storage at the project, folder, or organization level will cause future object-read operations to appear in Cloud Logging and be exported by the existing sink. Legacy bucket access logs, VPC Flow Logs, or additional sinks would not address the absence of Data Access auditing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Data Access audit logs in Google Cloud?
Open an interactive chat with Bash
How do you enable Data Access audit logs for a project in Google Cloud?
Open an interactive chat with Bash
Why are Data Access audit logs disabled by default in Google Cloud?
Open an interactive chat with Bash
What are Data Access audit logs in Google Cloud?
Open an interactive chat with Bash
How do you enable Data Access audit logs for Cloud Storage?
Open an interactive chat with Bash
What are the differences between Admin Activity and Data Access audit logs?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .