PROFESSIONAL-CLOUD-DEVOPS-ENGINEER · Question #186
PROFESSIONAL-CLOUD-DEVOPS-ENGINEER Question #186: Real Exam Question with Answer & Explanation
The correct answer is C: Enable Data Access audit logging for Cloud Storage for all projects and folders other than the. Option C works because Google Cloud's Data Access audit log policies are additive in the resource hierarchy - a child resource (folder or project) can only expand the audit logging inherited from its parent, never reduce or disable it. This means if you enable Data Access logging
Question
Your company stores a large volume of infrequently used data in Cloud Storage. The projects in your company's CustomerService folder access Cloud Storage frequently, but store very little data. You want to enable Data Access audit logging across the company to identify data usage patterns. You need to exclude the CustomerService folder projects from Data Access audit logging. What should you do?
Options
- AEnable Data Access audit logging for Cloud Storage at the organization level, and configure
- BEnable Data Access audit logging for Cloud Storage at the organization level, with no additional
- CEnable Data Access audit logging for Cloud Storage for all projects and folders other than the
- DEnable Data Access audit logging for Cloud Storage for all projects and folders, and configure
Explanation
Option C works because Google Cloud's Data Access audit log policies are additive in the resource hierarchy - a child resource (folder or project) can only expand the audit logging inherited from its parent, never reduce or disable it. This means if you enable Data Access logging at the organization level (Options A or B), the CustomerService folder will always be included - you cannot override it off at a lower level. Option D fails for the same reason: enabling logging everywhere and then trying to configure an exclusion for CustomerService folder won't work due to this inheritance constraint. Option B also fails on its own because it logs everything including CustomerService, which violates the requirement.
By explicitly enabling Data Access audit logging at each project and folder except the CustomerService folder (Option C), you achieve full company coverage while legitimately omitting the one folder you need to exclude - because no parent-level policy forces it on.
Memory tip: Think of GCP audit log inheritance as a one-way valve - policies only flow down and add, never subtract. If you need to exclude something, don't enable logging above it; configure it explicitly everywhere else instead.
Topics
Community Discussion
No community discussion yet for this question.