Your company’s Google Cloud organization has about 200 projects and 1,500 virtual machines. There is no uniform strategy for logs and events management, which reduces visibility for your security operations team. You need to design a logs management solution that provides visibility and allows the security team to view the environment’s configuration. What should you do?
A. 1. Create a dedicated log sink for each project that is in scope.
2. Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks.
3. Deploy alerts based on log metrics in every project.
4. Grant the role “Monitoring Viewer” to the security operations team in each project.
B. 1. Create one log sink at the organization level that includes all the child resources.
2. Use as destination a Pub/Sub topic to ingest the logs into the security information and event. management (SIEM) on-premises, and ensure that the right team can access the SIEM.
3. Grant the Viewer role at organization level to the security operations team.
C. 1. Enable network logs and data access logs for all resources in the “Production” folder.
2. Do not create log sinks to avoid unnecessary costs and latency.
3. Grant the roles “Logs Viewer” and “Browser” at project level to the security operations team.
D. 1. Create one sink for the “Production” folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources.
2. As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team.
3. Grant the security operations team the role of Security Reviewer at organization level.
Disclaimer
This is a practice question. There is no guarantee of coming this question in the certification exam.
Answer
B
Explanation
A. 1. Create a dedicated log sink for each project that is in scope.
2. Use a BigQuery dataset with time partitioning enabled as a destination of the log sinks.
3. Deploy alerts based on log metrics in every project.
4. Grant the role “Monitoring Viewer” to the security operations team in each project.
(Creating dedicated log sink for 200 projects isn’t feasible and viable option. Otherwise, this options looks good.)
B. 1. Create one log sink at the organization level that includes all the child resources.
2. Use as destination a Pub/Sub topic to ingest the logs into the security information and event. management (SIEM) on-premises, and ensure that the right team can access the SIEM.
3. Grant the Viewer role at organization level to the security operations team.
(The only sensible option, eventhough it needs to ingest the logs into on-prem SIEM tool.)
C. 1. Enable network logs and data access logs for all resources in the “Production” folder.
2. Do not create log sinks to avoid unnecessary costs and latency.
3. Grant the roles “Logs Viewer” and “Browser” at project level to the security operations team.
(Accessing logs from individual 200 projects is not giving any visibility to the security operations team.)
D. 1. Create one sink for the “Production” folder that includes child resources and one sink for the logs ingested at the organization level that excludes child resources.
2. As destination, use a log bucket with a minimum retention period of 90 days in a project that can be accessed by the security team.
3. Grant the security operations team the role of Security Reviewer at organization level.
(Security Reviewer is very broad role and gives extra permissions to the security opearations team. Otherwise, this options is good.)