Topic: Associate Cloud Engineer topic 1 question 169

Your auditor wants to view your organization's use of data in Google Cloud. The auditor is most interested in auditing who accessed data in Cloud Storage buckets. You need to help the auditor access the data they need. What should you do?

A.
Turn on Data Access Logs for the buckets they want to audit, and then build a query in the log viewer that filters on Cloud Storage.
B.
Assign the appropriate permissions, and then create a Data Studio report on Admin Activity Audit Logs.
C.
Assign the appropriate permissions, and then use Cloud Monitoring to review metrics.
D.
Use the export logs API to provide the Admin Activity Audit Logs in the format they want.

Re: Associate Cloud Engineer topic 1 question 169

It should be A.
Data access log are not enabled by default due to the fact that it incurs costs.
So you need to enable it first.
And then you can filter it in the log viewer

Re: Associate Cloud Engineer topic 1 question 169

A. Turn on Data Access Logs for the buckets they want to audit, and then build a query in the log viewer that filters on Cloud Storage.

Re: Associate Cloud Engineer topic 1 question 169

A. Turn on Data Access Logs for the buckets they want to audit, and then build a query in the log viewer that filters on Cloud Storage.

Re: Associate Cloud Engineer topic 1 question 169

IF Data Access Logs had ALREADY been enabled,  then option B would be a good answer
Reason - (1) best practice for cloud auditing - enable Admin Activity audit logs, then set IAM permissions
(ref: https://cloud.google.com/logging/docs/audit/best-practices)
and (2) Create a Data Studio (now renamed to Looker) report on Admin Activity Audit Logs
(ref: https://cloud.google.com/looker/docs/looker-core-audit-logging)
But you cannot assume from the question that Data Access Logs are enabled (NB: they are NOT by default)

Re: Associate Cloud Engineer topic 1 question 169

A is the right answer as first we need to turn on the data access logs

Re: Associate Cloud Engineer topic 1 question 169

I have doubts about the answer A, the auditor wants to see the audit logs, and in this answer it is not explicit if he will be allowed to see it.

Re: Associate Cloud Engineer topic 1 question 169

A is the correct answer,
Since the auditor wants to know who accessed the cloud storage data, we need data acces logs for cloud storage.

Types of audit logs
Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization:

Admin Activity audit logs
Data Access audit logs
System Event audit logs
Policy Denied audit logs

***Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.

https://cloud.google.com/logging/docs/audit#types

Re: Associate Cloud Engineer topic 1 question 169

A is right

Re: Associate Cloud Engineer topic 1 question 169

question says auditor is most interested in who accessED data in Cloud Storage. im not sure how auditoring is done for those who answered A but this means they want the logs for past users who accessed the data from a sepecified time. Turning on the feature now is kind of too late. poorly written question and answers. No point in an auditor coming in and giving the company all the exact questions they are going to ask and come back and ask them in a few months time. A seems like the better choices though

Re: Associate Cloud Engineer topic 1 question 169

If it's A then how will we assign the permission for the auditor to view the logs?
I had chosen option A on the first place, but later changed it considering that the auditor won't have the access to view the logs.

Re: Associate Cloud Engineer topic 1 question 169

Based on how I read the question-
We want Data Access log, not Admin Activity Audit Logs.

Re: Associate Cloud Engineer topic 1 question 169

Data access log are not enabled by default due to the fact that it incurs costs.
So you need to enable it first.
And then you can filter it in the log viewer

Re: Associate Cloud Engineer topic 1 question 169

https://cloud.google.com/logging/docs/audit#data-access

Cloud Storage: When Cloud Storage usage logs are enabled, Cloud Storage writes usage data to the Cloud Storage bucket, which generates Data Access audit logs for the bucket. The generated Data Access audit log has its caller identity redacted.

Re: Associate Cloud Engineer topic 1 question 169

The majority vote here is A, despite some confusion around the wording of the question. I tend to agree because it's the solution that most closely reflects the requirements of the question (buckets, cloud storage).

Re: Associate Cloud Engineer topic 1 question 169

A. I could not find a way to enable audit logs in specific buckets, only on the whole storage level:
https://cloud.google.com/logging/docs/audit/services

B. Admin activity audit logs cover admin actions, such as metada or config changes:
https://cloud.google.com/logging/docs/audit#admin-activity

C. Cloud monitoring is not for auditing: https://cloud.google.com/monitoring

D. Again, Admin Activity Audit Logs should not be used to audit data access, specially from bukets.

My conclusion: all these answers are wrong. My assumption: A is badly written. Specific buckets were not to be mentioned. I Vote A, but i think this Q&A is messed up. Maybe a correction? or deletion.

Re: Associate Cloud Engineer topic 1 question 169

Actually, there is a different service named User Logs that permits to focus on a single bucket.
Refer to google page:
https://cloud.google.com/storage/docs/access-logs
Usage logs provide information for all of the requests made on a specified bucket

Re: Associate Cloud Engineer topic 1 question 169

The question just says "buckets" and hints that the audit should cover all org data, so I don't think there is any need to overanalyse, you are correct in choosing A

Re: Associate Cloud Engineer topic 1 question 169

I choose D. reason is here: Cloud Audit Logs generates the following audit logs for operations in Cloud Storage:

Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.

Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:

ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.

DATA_READ: Entries for operations that read an object.

DATA_WRITE: Entries for operations that create or modify an object.

Re: Associate Cloud Engineer topic 1 question 169

Also A because it's the only one that mention DATA ACCESS LOGS, which is the one that Logs objects access , t

Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.

Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:

ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.

DATA_READ: Entries for operations that read an object.

DATA_WRITE: Entries for operations that create or modify an object.


https://cloud.google.com/storage/docs/audit-logging