Answer-first summary for fast verification
Answer: Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket.
Option D is the correct answer because it implements a proactive security approach by scanning files for PII before they reach the shared bucket. When files are uploaded to the administrator's bucket first, a Cloud DLP scan is triggered via Pub/Sub and Cloud Functions. Only files without PII are moved to the shared bucket, ensuring analysts never have access to PII-containing logs. This method prevents PII exposure by design, unlike option A which uploads files to both buckets initially and then attempts to delete PII from the shared bucket, creating a temporary exposure risk. Option B is incorrect as Object Lifecycle Management cannot detect PII content. Option C is flawed because Cloud Storage triggers cannot directly detect PII; it would require additional scanning logic, making D more streamlined with built-in DLP integration.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You need to store application logs in a shared Cloud Storage bucket accessible to both administrators and analysts. Analysts must not be able to access any logs containing personally identifiable information (PII). Log files with PII must be stored in a separate bucket that is only accessible to administrators. What should you do?
A
Upload the logs to both the shared bucket and the bucket with PII that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain PII from the shared bucket.
B
On the shared bucket, configure Object Lifecycle Management to delete objects that contain PII.
C
On the shared bucket, configure a Cloud Storage trigger that is only triggered when PII is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain PII.
D
Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket.