You are storing sensitive information in a Cloud Storage bucket. For legal reasons, you need to be able to record all requests that read any of the stored data. You want to make sure you comply with these requirements. What should you do?
A.
Enable the Identity Aware Proxy API on the project.
B.
Scan the bucket using the Data Loss Prevention API.
C.
Allow only a single Service Account access to read the data.
D.
Enable Data Access audit logs for the Cloud Storage API.
Correct Answer is (D):
Logged information
Within Cloud Audit Logs, there are two types of logs:
Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.
Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:
ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.
DATA_READ: Entries for operations that read an object.
DATA_WRITE: Entries for operations that create or modify an object.
https://cloud.google.com/storage/docs/audit-logs#types
D is the best answer:
- Data Access audit logs are specifically designed to track Google Cloud API operations related to data, including reads from Cloud Storage buckets.
- These logs include details about the user or service account making the request, the time, and the specific data resource accessed.
- Having this audit trail is essential for demonstrating adherence to regulations around sensitive data handling.
Why Others Aren't as Ideal:
A: Identity-Aware Proxy (IAP): IAP focuses on controlling access to web apps behind firewalls but doesn't inherently log all data read operations.
B: Data Loss Prevention (DLP): DLP is excellent for identifying sensitive data within your bucket but doesn't provide a continuous audit log of every access.
C: Restricting Access: While limiting access is a security best practice, it doesn't address the legal requirement to log every read operation.
D is correct as Data Access logs pertaining to Cloud Storage operations are not recorded by default. You have to enable them ...
https://cloud.google.com/storage/docs/audit-logging
seems that B is the right!
Cloud Data Loss Prevention (DLP) helps you to understand and manage such sensitive data. It provides fast, scalable classification and redaction for sensitive data elements. Using the Data Loss Prevention API and Cloud Functions, you can automatically scan this data before it is uploaded to the shared storage bucket.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ESP_SAP
Highly Voted 4 years agofrancisco_guerra
Highly Voted 4 years agoSSPC
4 years agoPiperMe
Most Recent 6 months, 1 week agoscanner2
12 months agoCaptain1212
12 months agocalm_fox
1 year, 9 months agoAzureDP900
2 years, 2 months agoAkash7
2 years, 3 months agowael_tn
2 years, 4 months agoSurat
2 years, 7 months agoVinoth9289
3 years agoWakandaF
3 years, 3 months agoYAS007
3 years, 1 month agovictory108
3 years, 5 months agoEABDAJA
3 years, 5 months agoGCP_Student1
3 years, 6 months agoswatititame
3 years, 9 months agoRockAJ
3 years, 11 months ago