Your auditor wants to view your organization's use of data in Google Cloud. The auditor is most interested in auditing who accessed data in Cloud Storage buckets. You need to help the auditor access the data they need. What should you do?
A.
Turn on Data Access Logs for the buckets they want to audit, and then build a query in the log viewer that filters on Cloud Storage.
B.
Assign the appropriate permissions, and then create a Data Studio report on Admin Activity Audit Logs.
C.
Assign the appropriate permissions, and then use Cloud Monitoring to review metrics.
D.
Use the export logs API to provide the Admin Activity Audit Logs in the format they want.
It should be A.
Data access log are not enabled by default due to the fact that it incurs costs.
So you need to enable it first.
And then you can filter it in the log viewer
IF Data Access Logs had ALREADY been enabled, then option B would be a good answer
Reason - (1) best practice for cloud auditing - enable Admin Activity audit logs, then set IAM permissions
(ref: https://cloud.google.com/logging/docs/audit/best-practices)
and (2) Create a Data Studio (now renamed to Looker) report on Admin Activity Audit Logs
(ref: https://cloud.google.com/looker/docs/looker-core-audit-logging)
But you cannot assume from the question that Data Access Logs are enabled (NB: they are NOT by default)
A is the correct answer,
Since the auditor wants to know who accessed the cloud storage data, we need data acces logs for cloud storage.
Types of audit logs
Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization:
Admin Activity audit logs
Data Access audit logs
System Event audit logs
Policy Denied audit logs
***Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.
https://cloud.google.com/logging/docs/audit#types
question says auditor is most interested in who accessED data in Cloud Storage. im not sure how auditoring is done for those who answered A but this means they want the logs for past users who accessed the data from a sepecified time. Turning on the feature now is kind of too late. poorly written question and answers. No point in an auditor coming in and giving the company all the exact questions they are going to ask and come back and ask them in a few months time. A seems like the better choices though
If it's A then how will we assign the permission for the auditor to view the logs?
I had chosen option A on the first place, but later changed it considering that the auditor won't have the access to view the logs.
Data access log are not enabled by default due to the fact that it incurs costs.
So you need to enable it first.
And then you can filter it in the log viewer
https://cloud.google.com/logging/docs/audit#data-access
Cloud Storage: When Cloud Storage usage logs are enabled, Cloud Storage writes usage data to the Cloud Storage bucket, which generates Data Access audit logs for the bucket. The generated Data Access audit log has its caller identity redacted.
The majority vote here is A, despite some confusion around the wording of the question. I tend to agree because it's the solution that most closely reflects the requirements of the question (buckets, cloud storage).
A. I could not find a way to enable audit logs in specific buckets, only on the whole storage level:
https://cloud.google.com/logging/docs/audit/services
B. Admin activity audit logs cover admin actions, such as metada or config changes:
https://cloud.google.com/logging/docs/audit#admin-activity
C. Cloud monitoring is not for auditing: https://cloud.google.com/monitoring
D. Again, Admin Activity Audit Logs should not be used to audit data access, specially from bukets.
My conclusion: all these answers are wrong. My assumption: A is badly written. Specific buckets were not to be mentioned. I Vote A, but i think this Q&A is messed up. Maybe a correction? or deletion.
Actually, there is a different service named User Logs that permits to focus on a single bucket.
Refer to google page:
https://cloud.google.com/storage/docs/access-logs
Usage logs provide information for all of the requests made on a specified bucket
The question just says "buckets" and hints that the audit should cover all org data, so I don't think there is any need to overanalyse, you are correct in choosing A
I choose D. reason is here: Cloud Audit Logs generates the following audit logs for operations in Cloud Storage:
Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.
Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:
ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.
DATA_READ: Entries for operations that read an object.
DATA_WRITE: Entries for operations that create or modify an object.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
iri_gcp
Highly Voted 3 years, 11 months agoGCP_Student1
Highly Voted 3 years, 11 months agoEnamfrancis
Most Recent 5 months, 1 week agopzacariasf7
11 months, 3 weeks agoNoCrapEva
1 year, 5 months agoCaptain1212
1 year, 6 months agoanolive
2 years, 3 months agoCharumathi
2 years, 4 months agoAzureDP900
2 years, 8 months agoJman007
2 years, 8 months agoakshaychavan7
2 years, 9 months agopeugeotdude
2 years, 10 months agosomenick
2 years, 11 months ago[Removed]
2 years, 11 months agoDaveNZ
3 years agowh1t4k3r
3 years, 2 months agoMarcoDipa
3 years, 2 months agoobeythefist
3 years agoericyev
3 years, 2 months ago