GCP Professional Cloud Security Engineer Practice Question

Your organization processes cardholder data in a dedicated Google Cloud project. The compliance team requires that you

capture every change to IAM policies across the project, and
log all successful and failed reads and writes to the Cloud Storage bucket that stores cardholder data. To reduce log-ingestion cost, they want to collect only the minimum additional audit logs needed. Which logging configuration best satisfies these requirements while minimizing extra log volume?

Enable Data Access audit logs for every service in the project and disable Admin Activity logs to avoid duplicate entries, then export all audit logs to Cloud Storage.
Enable System Event audit logs for the project and configure them to include data reads and writes, then export those logs for retention.
Enable Data Access audit logs for Cloud Storage at the project level and create a sink that exports only entries for the cardholder-data bucket; rely on the always-on Admin Activity audit logs for IAM policy changes.
Rely solely on Admin Activity audit logs, because they already capture both IAM policy changes and Cloud Storage object reads and writes.

Report Issue

Answer Description

Admin Activity audit logs are generated for every Google Cloud service and cannot be disabled, so they already capture all IAM policy changes without any additional configuration. Data Access audit logs record object read and write operations in Cloud Storage, but they are disabled by default because of their high volume and cost. Enabling Data Access logging for Cloud Storage at the project level activates those logs for all buckets, after which a log sink can filter and export only the entries whose resource name corresponds to the sensitive bucket. This yields the required evidence for cardholder-data access while keeping other Data Access logs from being stored. System Event logs capture Google-initiated infrastructure changes, not user data access, and cannot be enabled or disabled. Admin Activity logs cannot be configured at the bucket level, and they do not include object data reads or writes. Therefore, enabling Cloud Storage Data Access logs and relying on the always-on Admin Activity logs is the only option that meets the compliance goals with the least extra logging.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.