Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Option A is the correct answer because it provides an automated, real-time solution using Cloud Pub/Sub and Cloud Functions to trigger Data Loss Prevention (DLP) scans on file uploads. If PII is detected, the function moves the file to a secure bucket accessible only by the administrator, ensuring analysts never access PII-containing logs. This aligns with the requirement to segregate PII data and restrict access. Option B is incorrect as deleting files with PII violates the requirement to store them in a separate administrator-only bucket. Option C is unsuitable because Object Lifecycle Management cannot detect PII content; it only manages object lifecycle based on time or other metadata. Option D is flawed as Cloud Storage Triggers cannot natively detect PII; they require integration with DLP, which is not mentioned, and deletion would again violate the storage requirement.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

A company stores application logs in a Cloud Storage bucket that is accessible to both analysts and an administrator. Analysts must only be able to access logs that do not contain Personally Identifiable Information (PII). Logs containing PII must be stored in a separate bucket that is only accessible by the administrator.

What should you do?

Exam-Like

Use Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, have the function move into a Cloud Storage bucket only accessible by the administrator.

Upload the logs to both the shared bucket and the bucket only accessible by the administrator. Create a job trigger using the Cloud Data Loss Prevention API. Configure the trigger to delete any files from the shared bucket that contain PII.

On the bucket shared with both the analysts and the administrator, configure Object Lifecycle Management to delete objects that contain any PII.

On the bucket shared with both the analysts and the administrator, configure a Cloud Storage Trigger that is only triggered when PII data is uploaded. Use Cloud Functions to capture the trigger and delete such files.