Google Cloud Professional Cloud Security Engineer Practice Exam

To export security logs for Google Cloud, which two actions are necessary?

• A. Create a Log Sink at the organization level with the includeChildren parameter
• B. Export logs to Google BigQuery
• C. Enable Google Workspace audit logs
• D. Set the destination to a Cloud Storage bucket

The correct answer is: Create a Log Sink at the organization level with the includeChildren parameter

To export security logs in Google Cloud, it's essential to set up proper log sinks, which directly relate to your ability to manage and route logs to the desired destination. The correct action involves creating a Log Sink at the organization level using the includeChildren parameter. This capability allows you to specify the logging hierarchy effectively; thus, it will collect and export logs not only from the organization but also from all its child resources. This is crucial for comprehensive logging, especially in larger environments where resources are organized into projects and folders. When you establish a Log Sink, you direct the logs to a specific destination such as a Cloud Storage bucket, BigQuery, or Pub/Sub, fine-tuning your log management strategy and ensuring that all relevant security logs are captured for analysis and compliance purposes. The use of the includeChildren parameter is particularly important, as it encompasses all resource-level logs, significantly enhancing visibility into security events across the entire organization. The action of exporting logs to Google BigQuery, while beneficial for analysis and reporting, is not sufficient by itself to establish log export functionality. Similarly, enabling Google Workspace audit logs may enhance your visibility into user activities within Google Workspace but is not directly tied to the export of Google Cloud security logs. Setting the destination to a Cloud