Google Cloud Professional Data Engineer Exam

What should you do to evaluate access on all objects in a Cloud Storage bucket to address concerns about unauthorized access?

• A. Review the Admin Activity audit logs.
• B. Enable and then review the Data Access audit logs.
• C. Route the Admin Activity logs to a BigQuery sink.
• D. Change the permissions on the bucket.

The correct answer is: Enable and then review the Data Access audit logs.

Enabling and reviewing the Data Access audit logs is an effective approach to evaluate access on all objects within a Cloud Storage bucket, particularly in the context of assessing unauthorized access. The Data Access audit logs specifically capture read and write requests to the data and reflect who accessed the data and what actions were taken. By examining these logs, you can gain insights into all interactions with the objects in the bucket, including the identities of users and service accounts accessing the data, the types of operations performed (like reads and writes), and the timestamps of these actions. This comprehensive view can help identify any unauthorized access patterns or anomalies that could indicate security concerns. Additionally, the Admin Activity audit logs focus primarily on administrative actions such as creating or modifying permissions, rather than access to the actual data itself. As such, they would not provide a full picture of who is accessing the objects within the bucket. Routing the Admin Activity logs to a BigQuery sink may be useful for deeper analysis of administrative changes, but it does not directly address the immediate concern of unauthorized access to data. Altering the permissions on the bucket might be a reactive measure rather than a thorough evaluation of access history.