GCP Professional Cloud Security Engineer Practice Question
Your organization runs hundreds of GCP projects. A recent security incident involved the public exposure and download of sensitive Cloud Storage objects. Event Threat Detection flagged the exposure, but the incident response team could not determine which IAM principal actually downloaded the data because the required log entries were missing. During the post-mortem you must recommend a preventive action that both improves future investigations and enables centralized analysis while limiting operational overhead. What should you propose?
Enable DEBUG-level logging on all storage buckets and retain application logs locally in each project for 7 years.
Configure Packet Mirroring for all VPCs and send traffic to Cloud IDS; disable Data Access audit logs to avoid duplicate logging charges.
Turn on VPC Flow Logs for every subnet and export them to Cloud Storage; rely on the source IP address to identify future data exfiltration events.
Enable Data Access audit logs for Cloud Storage at the organization level and create an aggregated log sink that exports these logs to a centrally managed BigQuery dataset with partitioned, 1-year retention for analysis.
Cloud Storage object-level access is recorded only in Data Access audit logs, which are disabled by default for most services. Enabling these logs at the organization level guarantees coverage for every current and future project and eliminates per-project configuration drift. Creating an aggregated sink exports all Data Access logs to a central BigQuery dataset where time-partitioned tables allow scalable, long-term retention and SQL-based analysis, supporting rapid incident investigations. The other options either fail to capture the required identity-aware events, store logs in siloed project buckets that hinder enterprise-wide searches, or actually suppress the very logs needed for root-cause analysis, thereby weakening security posture.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Data Access audit logs in GCP?
Open an interactive chat with Bash
What is an aggregated log sink in GCP?
Open an interactive chat with Bash
Why is BigQuery recommended for log retention and analysis?
Open an interactive chat with Bash
What are Data Access audit logs in GCP?
Open an interactive chat with Bash
What is an aggregated log sink, and why is it useful?
Open an interactive chat with Bash
How does storing logs in a partitioned BigQuery dataset improve analysis?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .