Answer-first summary for fast verification
Answer: Export the data access logs via an aggregated export sink to a Cloud Storage bucket in a newly created project for audit logs. Restrict access to the project that contains the exported logs.
## Explanation **Option D is correct** because: - **Aggregated export sink**: This allows you to collect logs from multiple projects into a single centralized location, which is essential for auditing across all projects - **New project for audit logs**: Creating a dedicated project for audit logs ensures proper access control and separation of duties - **Restricted access**: Only audit personnel should have access to this project, preventing Data Analysts (who have Owner roles in their own projects) from accessing the logs **Why other options are incorrect**: - **Option A**: Data Analysts have Owner roles, so they could potentially modify IAM permissions and access the logs - **Option B**: Storing logs in Data Analysts' projects gives them potential access since they have Owner roles - **Option C**: Project-level export sinks don't aggregate logs from multiple projects, making centralized auditing difficult This approach follows the principle of least privilege and ensures audit logs are protected from the users being audited.
Author: LeetQuiz .
Ultimate access to all questions.
No comments yet.
NO.27 Data Analysts in your company have the Cloud IAM Owner role assigned to them in their projects to allow them to work with multiple GCP products in their projects. Your organization requires that all BigQuery data access logs be retained for 6 months. You need to ensure that only audit personnel in your company can access the data access logs for all projects. What should you do?
A
Enable data access logs in each Data Analyst's project. Restrict access to Stackdriver Logging via Cloud IAM roles.
B
Export the data access logs via a project-level export sink to a Cloud Storage bucket in the Data Analysts' projects. Restrict access to the Cloud Storage bucket.
C
Export the data access logs via a project-level export sink to a Cloud Storage bucket in a newly created project for audit logs. Restrict access to the project with the exported logs.
D
Export the data access logs via an aggregated export sink to a Cloud Storage bucket in a newly created project for audit logs. Restrict access to the project that contains the exported logs.