Google Cloud Professional Cloud Security Engineer Practice Exam

What action should be taken to confirm unauthorized access to Google Cloud resources by a former employee?

• A. Check user permissions
• B. Use Logs Explorer to search for user activity
• C. Reset all service account keys
• D. Review IAM roles

The correct answer is: Use Logs Explorer to search for user activity

Using Logs Explorer to search for user activity is the most effective action to confirm unauthorized access to Google Cloud resources by a former employee. Logs Explorer provides a comprehensive view of operational logs, including detailed records of actions taken by users, service accounts, and applications within your Google Cloud environment. By analyzing these logs, security engineers can identify any anomalous or unauthorized activities related to the former employee's account, such as unusual access patterns, privileges exerted post-termination, or specific resource modifications made after their departure. This maintains a clear audit trail of user actions and is essential for forensic analysis when investigating possible security breaches. The information gleaned from Logs Explorer would be critical in understanding whether unauthorized access has occurred and in taking necessary mitigation steps. While checking user permissions and reviewing IAM roles can help assess the scope of access that the former employee had before termination, these actions would not provide insight into actual activities performed after their departure. Resetting service account keys, though a good practice, is more of a preventative measure rather than a method for confirming past unauthorized access. Therefore, utilizing Logs Explorer is the most direct means to ascertain whether any unauthorized actions were taken following the employee's exit.