GCP Professional Cloud Security Engineer Practice Question
Your security team must retain a complete record of every IAM policy change across all projects and all data read or write operations on BigQuery datasets tagged pii=true. You created an aggregated sink at the organization level that exports every Cloud Audit Log entry (Admin Activity, Data Access, System Event, and Policy Denied) to a long-term BigQuery dataset, but the billing team reports a sharp rise in Cloud Logging charges. What should you do to reduce logging costs while still meeting the CISO's requirements?
Disable System Event audit logs at the organization level because they are high-volume and billable; keep all other audit log types in the export.
Modify the aggregated sink's filter to export all ADMIN_ACTIVITY logs plus only DATA_READ and DATA_WRITE audit logs whose resource.type is bigquery_dataset and whose dataset label pii equals true.
Remove POLICY_DENIED audit logs from the export because they incur ingestion charges and are not needed for the compliance requirement.
Keep the existing sink but shorten log retention in Cloud Logging to one week, then rely on the BigQuery export for long-term storage.
Admin Activity audit logs are always on, cannot be disabled, and are not billed for ingestion, so keeping them in the export has no cost impact. System Event and Policy Denied logs are also always on and free to ingest, but they are not required for the stated compliance goal. Data Access audit logs are chargeable and disabled by default for most services, except BigQuery, whose Data Access logs (DATA_READ and DATA_WRITE) are always generated. Logging costs rise because the current sink exports all audit log types, including high-volume, billable Data Access logs from every service. By narrowing the sink's filter so that it continues to export all ADMIN_ACTIVITY logs (free) but restricts DATA_READ and DATA_WRITE entries to only BigQuery resources whose dataset labels include pii=true, you preserve the mandated visibility and dramatically cut the volume of billable log entries.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are Data Access audit logs for BigQuery always generated, and what makes these logs billable?
Open an interactive chat with Bash
What is an aggregated sink, and why is it useful in Cloud Logging?
Open an interactive chat with Bash
What are the benefits of filtering audit logs based on resource type and labels in Cloud Logging?
Open an interactive chat with Bash
What is an IAM policy in GCP?
Open an interactive chat with Bash
What are Cloud Audit Logs in GCP?
Open an interactive chat with Bash
How does an aggregated sink work in GCP logging?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Managing operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .