GCP Professional Cloud Security Engineer Practice Question

Your organization wants to export all Cloud Audit Logs (Admin Activity and Data Access) from every Google Cloud project to a central log bucket in a dedicated security project. Many teams already have project-level sinks that forward the same logs to other destinations, which must not receive a second copy. The security team also needs to keep exporting logs from its own project to an external SIEM and does not want its logs in the central bucket. You are asked to implement the organization-level export without asking individual teams to modify their existing sinks and while avoiding any duplicate log deliveries. What should you do?

In every project except the security team's, deploy a project-level sink that exports Admin Activity and Data Access logs to the central bucket, and instruct teams to remove any overlapping sinks after migration.
Create a non-intercepting aggregated sink at the organization level that exports Admin Activity and Data Access logs to the central bucket and uses a filter to exclude the security team's project.
Create an intercepting aggregated sink at the organization level with includeChildren=true. Set an advanced filter that selects all Admin Activity and Data Access logs except those whose resource.labels.project_id equals the security team's project, and route the sink to the central bucket.
Schedule a BigQuery Data Transfer Service job that copies Admin Activity and Data Access logs from each project's _Required log bucket into a central BigQuery dataset, then write a view to exclude the security project.

Report Issue

Answer Description

An intercepting aggregated sink created at the organization (or folder) level stops any matching log entries from being processed by sinks lower in the resource hierarchy, which eliminates duplicate exports. Using a filter like logName:("cloudaudit.googleapis.com/activity" OR "cloudaudit.googleapis.com/data_access") AND resource.labels.project_id!="security-prj" gathers the required audit logs but excludes those from the security team's project. Because the intercepting sink ignores child sinks for the same entries, existing project-level sinks continue to work only for logs that the intercepting sink does not match, so the security project can still export its own logs independently and no other project receives duplicate copies. Non-intercepting sinks or project-by-project configuration would either duplicate data or require each team to change its sinks, while BigQuery Data Transfer Service cannot collect logs directly from Cloud Logging.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.