Question-5: You are employing Google Cloud Identity and Access Management while developing an internal application for Identity and Access Management, Billing and Subscription for a SaaS-based service. Your teams will be visited once a year by auditors who will request that you evaluate all of the modifications to the Google Cloud Identity and Access Management (Cloud IAM) policy that have occurred in the preceding year. You would want to simplify and speed up the process of auditing and conducting analyses. What is it that you ought to do?
A. Make individualised alerts using Google Stackdriver, then deliver them to the auditor.
B. Enable the export of logging data to Google BigQuery, and make use of access control lists and views to limit the data that is shared with the auditor.
C. Utilize cloud functions to move log entries to Google Cloud SQL, and then restrict an auditor's visibility via access control lists (ACLs) and different views.
D. Enable the export of audit logs from Google Cloud Storage (GCS) to a GCS bucket, and delegate access to the bucket.
Correct Answer
Get All 340 Questions and Answer for Google Professional Cloud Architect
: 2 Explanation: It is customary for the business to provide a third-party auditor with access to its audit records on many occasions during the year. The auditor does not have permission to see personally identifiable information included in the Admin Activity logs. In order to fulfil the requirements of this specification, a dashboard has been made available that gives users access to the historical logs that are kept in BigQuery, as well as, upon request, the Cloud Logging Admin Activity logs. The company will form a Google group just for these outside auditors and will include the present auditor in the membership of the group. The members of this group are tracked and, in most cases, given permission to use the dashboard application. The Google group belonging to the auditors is only permitted access, during regular access, to see the historical logs that are kept in BigQuery. Through the use of the elevated access mode of the dashboard, the group will be given authorization to examine the real Cloud Logging Admin Activity logs in the event that any abnormalities are found. The access granted to the group is then withdrawn at the conclusion of each audit period. Before being made viewable via the dashboard application, data is scrubbed using Cloud DLP to remove personally identifiable information. Even though we are discussing data that is one year old, we still want to analyze it as quickly as possible. Option-4 is less expensive than Option-2, but it does not offer any sort of analysis or reporting capabilities.