An external identity with a highly privileged IAM role exists in a critical project. You need to determine whether actions were taken by this identity. Logs are centralized in Cloud Logging, and historical logs exported to BigQuery. What should you do?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

An external identity with a highly privileged IAM role exists in a critical project. You need to determine whether actions were taken by this identity. Logs are centralized in Cloud Logging, and historical logs exported to BigQuery. What should you do?

Explanation:
The key idea is to use the audit logs to establish what action, if any, the external identity performed. Cloud Logging contains Cloud Audit Logs that record administrative and data-access activities, including which identity (principalEmail) performed each operation and on which resource. Since historical logs are exported to BigQuery, you can run queries across both the real-time logs in Cloud Logging and the long-term data in BigQuery to find every event tied to that external identity. By filtering for the principalEmail that matches the external identity, you can enumerate all actions, drill into the resources involved, and note timestamps to determine what was done and when. This approach directly answers the objective because it relies on the actual activity records, not on recommendations or policy views. Other options don’t capture exact actions by a user or service account: recommender insights and Security Command Center findings focus on potential issues or suggestions rather than concrete actions; VPC Flow Logs show network traffic, which may indicate activity but doesn’t prove which identity performed it; Policy Analyzer reveals what resources a principal could access, not what they actually did.

The key idea is to use the audit logs to establish what action, if any, the external identity performed. Cloud Logging contains Cloud Audit Logs that record administrative and data-access activities, including which identity (principalEmail) performed each operation and on which resource. Since historical logs are exported to BigQuery, you can run queries across both the real-time logs in Cloud Logging and the long-term data in BigQuery to find every event tied to that external identity. By filtering for the principalEmail that matches the external identity, you can enumerate all actions, drill into the resources involved, and note timestamps to determine what was done and when.

This approach directly answers the objective because it relies on the actual activity records, not on recommendations or policy views. Other options don’t capture exact actions by a user or service account: recommender insights and Security Command Center findings focus on potential issues or suggestions rather than concrete actions; VPC Flow Logs show network traffic, which may indicate activity but doesn’t prove which identity performed it; Policy Analyzer reveals what resources a principal could access, not what they actually did.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy