GCP Professional Cloud Security Engineer Practice Question

Your security operations team runs Google Cloud Security Command Center (SCC) Premium across the entire organization. Event Threat Detection has generated a high-severity finding that suggests credential exfiltration in several production projects. Per your incident-response agreement, on-call Mandiant analysts must receive the related log data within minutes so they can start triage, but they must not gain broad access to your internal logs. You also need to keep an untampered, long-term copy of all incident-related log entries for later forensic analysis. Which approach best meets these requirements?

Enable BigQuery log export for the impacted projects, share the dataset with the Mandiant service account, and run a scheduled Dataflow job every six hours to copy the tables to an immutable bucket.
Grant the Mandiant service account the Logging Viewer role on each affected project and enable real-time streaming in Logs Explorer; rely on the default Cloud Audit Logs retention for forensic preservation.
Provide Viewer access to the SCC dashboard at the organization level and instruct Mandiant to download any required logs directly from the console.
Create two aggregated organization-level log sinks with identical filters: one streams matching entries to a Pub/Sub topic in an "ir-partner" project where the Mandiant service account has only the Pub/Sub Subscriber role; the other exports the same entries to a Cloud Storage bucket that has object versioning and a locked retention policy.

Report Issue

Answer Description

Creating two separate aggregated organization-level log sinks with identical filters meets all objectives. The first sink streams matching log entries in near real time to a Pub/Sub topic located in a dedicated "ir-partner" project; granting the Mandiant-supplied service account the Pub/Sub Subscriber IAM role lets them pull or stream only those entries, honoring least-privilege. The second sink exports the same filtered logs to a Cloud Storage bucket that has both object versioning enabled and a locked retention policy, ensuring that no log object can be altered or deleted during the retention period, thus providing an immutable archive. Alternatives either expose excessive log access (project-level Logging Viewer), introduce unacceptable latency (BigQuery export), or fail to preserve raw logs immutably (dashboard access only).

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.