Google Professional Data Engineer
Get started today
Ultimate access to all questions.
NO.27 Data Analysts in your company have the Cloud IAM Owner role assigned to them in their projects to allow them to work with multiple GCP products in their projects. Your organization requires that all BigQuery data access logs be retained for 6 months. You need to ensure that only audit personnel in your company can access the data access logs for all projects. What should you do?
Real Exam
Community
LLeetQuiz
Explanation:
Explanation
Option D is correct because:
- Aggregated export sink: This allows you to collect logs from multiple projects into a single centralized location, which is essential for auditing across all projects
- New project for audit logs: Creating a dedicated project for audit logs ensures proper access control and separation of duties
- Restricted access: Only audit personnel should have access to this project, preventing Data Analysts (who have Owner roles in their own projects) from accessing the logs
Why other options are incorrect:
- Option A: Data Analysts have Owner roles, so they could potentially modify IAM permissions and access the logs
- Option B: Storing logs in Data Analysts' projects gives them potential access since they have Owner roles
- Option C: Project-level export sinks don't aggregate logs from multiple projects, making centralized auditing difficult
This approach follows the principle of least privilege and ensures audit logs are protected from the users being audited.
Comments
Loading comments...