Exam Professional Cloud Security Engineer topic 1 question 86 discussion

B is the Ans

Ans B "B" is for actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions. "A" is only for "user-provided" resource data. Data Access audit logs-- except for BigQuery Data Access audit logs-- "are disabled by default"

Agree with B

To audit which new resources were created by a compromised service account key, you should query Admin Activity logs 1. Admin Activity logs provide a record of every administrative action taken in your Google Cloud Platform (GCP) project, including the creation of new resources 1. By querying Admin Activity logs, you can identify which new resources were created by the compromised service account key and take appropriate action to secure your environment 1. You can use the gcloud command-line tool or the Cloud Console to query Admin Activity logs 1. You can filter the logs based on specific criteria, such as time range, user, or resource type 1.

B - Audit logs. They have all the API calls that creates, modify or destroy resources. https://cloud.google.com/logging/docs/audit#admin-activity

B. Query Admin Activity logs.

Admin activity log records resources changes. B is correct

Admin activity logs are always created to log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.

Admin activity logs contain all GCP API calls. So this is where the service account activity will show up

I support B, https://cloud.google.com/iam/docs/audit-logging says IAM logs write into admin log

Ans : B

Ans - B