Practice Test 3 | Google Cloud Certified Professional Cloud Architect | Dumps | Mock Test

Correct Answer A and C

Explanation

For long-term logs preserving and retention:

There are 3 type of sink destinations you can export Logs to: Cloud Storage, Cloud Pub/Sub, BigQuery. Export logs to Cloud Storage via an export sink. Cloud Storage is perfect solution for long-term logs retention.

For Sharing:

The choice to use IAM or signed URL’s depends on if the auditors need a GCP account or need access to a single object or all logs in a bucket.

You could either create a GCP account for auditor ACL object access or signed URL’s depending on if they need to have a GCP account or not.

Answer A is correct. If Auditors have GCP accounts, you can grant them “roles/storage.objectViewer” which can view objects and their metadata. Note the different between “storage.objectViewer” and “Project Viewer”

https://cloud.google.com/storage/docs/access-control/iam-roles Cloud Storage IAM Roles

Answer C is correct: “A signed URL is associated with a bucket or object and gives time-limited read or write access to that specific resource. Anyone in possession of the URL has the access granted by the URL, regardless of whether they have a Google account.” https://cloud.google.com/storage/docs/access-control/create-signed-urls-program

Answer B is incorrect: Project Viewer role is not enough to view Admin Activity logs in Operations Suite (formerly Stackdriver)  Logging. “To view the logs, you must have the IAM roles Logging/Private Logs Viewer or Project/Owner”.

https://cloud.google.com/logging/docs/audit/#admin-activity

Note: the Operations Suite (formerly Stackdriver)  Admin activity log retention period is 400 days which meets and exceeds the required once-a-year access.

Answer D is incorrect due to this part: “email a list of the logs once per year”