Exam Professional Cloud Architect topic 1 question 28 discussion

B. https://cloud.google.com/iam/docs/roles-audit-logging#scenario_external_auditors

Think B is better. Export to Bigquery and restrict access to queries with ACLs to auditors

A : not good as sending security data outside, even for audit, is not compliant C : cloud SQL is not designed for audits D : Would be great as the linly one to mention audit logs but only the log from GCS, and not IAM. B : remaining answer but it would be prefered audit log

Key clue from the question is "You want to streamline and expedite the analysis". How can you expect streamline and analysis capabilities from Cloud Storage? Rather BigQuery has the analytics and streamline capabilities inbuilt in the tool. User access can be controlled in both, so the correct answer with key clues is to Enable Logging export to Google BigQuery (this will store all the logs streamlined) and use ACLs (these are filters, so according to the audior) and views (these are read only, there is no obfuscation or tokenization or sensistive data to be handled from the logs !!!!) to scope the data shared with the auditor.

The power word here is , Streamline analysis and audit , hence BQ is the answer. If it would have been only audit , then D would have been beteer

1. Comprehensive Audit Trail: Cloud Logging automatically captures audit logs for all Cloud IAM activity. Exporting these logs to BigQuery provides a centralized and comprehensive audit trail for analysis. 2. Powerful Analysis: BigQuery's analytical capabilities allow auditors to efficiently query and analyze IAM policy changes over the 12-month period. They can filter, aggregate, and generate reports to identify any anomalies or security concerns. 3. Granular Access Control: BigQuery's Access Control Lists (ACLs) and views enable you to precisely control which data the auditors can access. This ensures that they only see the information relevant to their audit without exposing sensitive data. Note: While exporting logs to Cloud Storage is possible, it's less efficient for analysis compared to BigQuery.

Answer B

Option B is the best approach. Enable Logging export to Google BigQuery and use ACLs and views to scope the data shared with the auditor. This method provides robust querying capabilities, ensures that historical IAM policy changes can be analyzed effectively, and allows you to control access securely.

b is correct because it is easier to implement compared to D

READ THIS, ACL is not available in BIG QUERY , thereforeD. Enable Google Cloud Storage (GCS) log export to audit logs into a GCS bucket and delegate access to the bucket

ACLs would provide year-round access to the data which is more privileges than necessary. Logs will need to be retained for a full year because hypothetically, January logs could be looked at in December. Cloud Storage offers signed URLs, and less expensive storage options.

Both B and D are ok. Using cloud storage requires additional setup for auditors, pulling data to BQ. Using BQ would satisfy "streamline and expedite the analysis and audit process"

Based on google documentation B is the correct answer. https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors Dashboard is available in BigQuery to review historic logs and in case anamoly is found elevated access is provided. Access is revoked after audit activities are done.

D - Correct B - his option requires additional work to set up the ACLs and views to limit an auditor's view of the data. This could be time-consuming and complex to implement. Furthermore, BigQuery may not be the ideal tool for auditors who are only interested in reviewing Cloud IAM policy changes.

That‘s the only logical one also Bard is confirming this one

D I will not go with B, as the requirement is once for 12 months. Push the data in Coldline for 12 months and retrieve it during audit is enough. Save costs.

Reading from Cloud Storage raw audit logs (without filtering applied) is everything but streamlined. Imagine the auditor fetching all audit logs, then write some script to analyze them...