GCP Professional Cloud Security Engineer Practice Question
Your organization stores sensitive customer records in several Cloud Storage buckets within the production project. A new regulation requires that every API call which reads or writes object data in these buckets be logged and retained for a year. Admin Activity audit logs are already collected automatically for all services. You are asked to satisfy the new requirement while avoiding unnecessary log volume and charges for other Google Cloud services. Which configuration should you apply?
Turn on VPC Flow Logs for the subnet that hosts the Cloud Storage buckets to capture read and write operations.
Enable Data Access audit logging for all services at the organization level so every API call in every project is captured.
Create a log sink that exports existing Admin Activity audit logs for the project to BigQuery for long-term retention.
Update the project's IAM policy to add an AuditConfig that enables only DATA_READ and DATA_WRITE logs for the service "storage.googleapis.com".
Data Access audit logs are disabled by default for all Google Cloud services except BigQuery, and they can quickly become high-volume and chargeable. To capture only data-plane operations on Cloud Storage objects without generating logs for every other service, you must explicitly enable Data Access logging just for Cloud Storage in the affected project. This is done by adding an AuditConfig to the project's IAM policy that lists the service name "storage.googleapis.com" and the log types "DATA_READ" and "DATA_WRITE". Admin Activity logs need no action because they are always on. Enabling Data Access at the organization level (or for all services) would capture far more logs and increase cost, while creating VPC Flow Logs or exporting existing Admin Activity logs would not record object-level reads and writes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Data Access audit logs?
Open an interactive chat with Bash
What is an AuditConfig in IAM policies?
Open an interactive chat with Bash
What is the significance of 'storage.googleapis.com' in this configuration?
Open an interactive chat with Bash
What are Data Access audit logs in GCP?
Open an interactive chat with Bash
How can you enable Data Access logs for a specific service in GCP?
Open an interactive chat with Bash
What is the difference between Admin Activity logs and Data Access logs in GCP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .