GCP Professional Cloud Security Engineer Practice Question

Your organization recently enabled Security Command Center (SCC) Premium at the organization level. You must ensure that any Cloud Storage bucket that becomes publicly accessible in any existing or future project is detected. When a HIGH-severity finding of this type appears, it has to be sent immediately to an existing Pub/Sub topic that feeds the corporate SIEM. Security analysts must be able to acknowledge or mute the finding in SCC, but they must not be able to change bucket configurations. Which combination of actions will meet these requirements with the least ongoing operational effort?

Configure a Cloud Asset Inventory feed for resource type storage.googleapis.com/Bucket with a condition that matches public IAM policies, export the feed to the Pub/Sub topic, and give the analyst group roles/cloudasset.viewer so they can mark resources as compliant once fixed.
Enable Event Threat Detection, create a log sink that exports storage.setIamPolicy Cloud Audit Logs to the Pub/Sub topic, and grant the analyst group the IAM role roles/storage.admin so they can investigate and resolve findings.
Enable SCC Standard in every project, configure a project-level notification configuration that filters on category="PUBLIC_BUCKET_ACL", and grant the analyst group the roles/owner role on each project so they can acknowledge findings.
Enable Security Health Analytics in SCC at the organization level, create an organization-level notification configuration that filters on severity="HIGH" AND category="BUCKET_IAM_PUBLICLY_ACCESSIBLE" and sends findings to the SIEM Pub/Sub topic, and grant the analyst group the IAM role roles/securitycenter.findingsEditor on the organization.

Report Issue

Answer Description

Enabling Security Command Center Premium at the organization level automatically onboards every current and future project, so no per-project work is required. Security Health Analytics includes the detector BUCKET_IAM_PUBLICLY_ACCESSIBLE, which is emitted with HIGH severity when a bucket becomes public. Creating an organization-level notification configuration with a filter such as severity="HIGH" AND category="BUCKET_IAM_PUBLICLY_ACCESSIBLE" routes only the relevant findings to the Pub/Sub topic used by the SIEM. Granting the analyst group the predefined role roles/securitycenter.findingsEditor lets them update, mute, or mark findings as acknowledged, but it does not grant any permissions to modify the underlying Cloud Storage buckets. The other choices either rely on log sinks or Cloud Asset Inventory (extra configuration and no native finding life-cycle management), require per-project setup, or grant overly broad permissions (for example, Storage Admin or Owner), which violates the least-privilege requirement.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.