GCP Professional Cloud Security Engineer Practice Question

Your organization operates a multi-project GCP environment aligned with separate business units. Security engineers want to aggregate all Admin Activity, Data Access, VPC Flow, and application logs into a dedicated "sec-logs" project they own, while preserving least-privilege: individual developers must continue to see only the logs that originate from their own projects, and not the logs of other teams. Which architecture best satisfies these requirements with minimal operational overhead?

Configure a VPC Service Controls perimeter that contains all projects and rely on default aggregated audit logging; assign the Logging Private Log Viewer role to developers so they are automatically limited to their own project's logs.
Enable Cloud Logging in every project and write logs to individual BigQuery datasets. Share each dataset with the security team and run scheduled queries that union all datasets into a consolidated dataset inside the sec-logs project.
Create an aggregated sink at the organization level that routes all logs to a log bucket in the sec-logs project. Grant the security team Logging Viewer on that bucket and create project-specific log views that restrict each development team to only their project's logs.
Export each project's logs to its own Cloud Storage bucket, enable bucket-level Object ACLs for the development teams, and use Transfer Service to copy the objects nightly to the sec-logs project.

Report Issue

Answer Description

An aggregated sink created at the organization (or folder) level automatically routes log entries from every descendant project to the destination that you specify. If that sink points to a log bucket hosted in the dedicated sec-logs project, the security team can receive all logs in one place. Access can then be narrowed by creating log views on that bucket that filter to a specific project ID and granting each development team the Logging Viewer role on only the view that exposes its own project's data. This preserves the principle of least privilege without requiring per-project exports, ACL management, or additional data-movement workflows. The other options either introduce complex transfer jobs, duplicate storage, or rely on mechanisms (VPC Service Controls, BigQuery federation) that do not natively enforce project-scoped visibility in Cloud Logging.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.