Exam Professional Data Engineer topic 1 question 141 discussion

Answer D is correct. Aggregated log sink will create a single sink for all projects, the destination can be a google cloud storage, pub/sub topic, bigquery table or a cloud logging bucket. without aggregated sink this will be required to be done for each project individually which will be cumbersome. https://cloud.google.com/logging/docs/export/aggregated_sinks

Correct: D https://cloud.google.com/iam/docs/roles-audit-logging#scenario_external_auditors

D is the correct ans

D. Here's why this option is recommended: Aggregated Export Sink: By using an aggregated export sink, you can consolidate data access logs from multiple projects into a single location. This simplifies log management and retention policies. Newly Created Project for Audit Logs: Creating a dedicated project for audit logs allows you to centralize access control and manage logs separately from individual Data Analyst projects. Access Restriction: By restricting access to the project containing the exported logs, you ensure that only authorized audit personnel have access to the logs while preventing Data Analysts from accessing them.

To create the Log Router, at step 3 to define the logs (Source), we can include logs from many projects (aggregated)

D is the answer. https://cloud.google.com/logging/docs/export/aggregated_sinks Aggregated sinks combine and route log entries from the Google Cloud resources contained by an organization or folder. For instance, you might aggregate and route audit log entries from all the folders contained by an organization to a Cloud Storage bucket.

D is correct

D: https://cloud.google.com/logging/docs/export/aggregated_exports You can create an aggregated export sink that can export log entries from all the projects, folders, and billing accounts of an organization. As an example, you might use this feature to export audit log entries from an organization's projects to a central location.

The auditor needs to audit data analyst's behaviors (how they access multiple projects in BQ ). So, the key is, multiple projects. According to Google doc project-level sinks: https://cloud.google.com/logging/docs/export/configure_export_v2 However, the Cloud Console can only create or view sinks in Cloud projects. To create sinks in organizations, folders, or billing accounts using the gcloud command-line tool or Cloud Logging API, see Aggregated sinks. Obviously, the auditor needs to check all projects accessed by data analyst which is not project-level, a higher level like folder or organization level, this can only be done via the aggregate sink. So D is the answer.

A - eliminated , because logs needs to be retained for 6 months (So, some storage require) B - eliminated, because if we store in same project then, Data Analyst can also access (But in question it's mention, ONLY audit personnel needs access) C - Wrong (No need to restrict project as well as logs separately) - wording does not look okay. D - Correct (If we restrict the project, then all resources get restricted) Vote for D

what is the difference between C and D? I think it's same.

D is correct

D is correct answer, refer below link for more information.

Ans : D Aggregated Exports, which allows you to set up a sink at the Cloud IAM organization or folder level, and export logs from all the projects inside the organization or folder.

Answer D