Google Cloud Professional Cloud Security Engineer Practice Exam

What is the recommended method for handling logs with personally identifiable information in Cloud Storage?

• A. Set bucket access control lists to restrict access
• B. Use a single bucket for all logs
• C. Use Pub/Sub and Cloud Functions for Data Loss Prevention scans
• D. Encrypt all logs in the bucket

The correct answer is: Use Pub/Sub and Cloud Functions for Data Loss Prevention scans

The recommended method for handling logs that contain personally identifiable information (PII) in Cloud Storage involves using Pub/Sub and Cloud Functions for Data Loss Prevention (DLP) scans because this approach provides a systematic and automated way to detect and protect sensitive data. Using Pub/Sub allows for real-time or near-real-time processing of log data as it is ingested. When logs that may contain PII are uploaded to Cloud Storage, a trigger can be set up to send a notification to a Pub/Sub topic. Cloud Functions can then listen to these notifications and execute functions that perform DLP scans on the logs. This means that any PII present in the logs can be identified and acted upon, such as being masked or redacted, before the logs are stored permanently. This method not only enhances security but also reduces the risk of exposing sensitive information. By implementing automated scans as logs are ingested, organizations can ensure compliance with data protection regulations and enhance their overall data governance strategy. While configuring access control lists or encryption are important security practices, they do not specifically address the proactive identification and mitigation of PII within the logs. Using a single bucket for all logs may also complicate the management and monitoring of sensitive information, rather than ensuring comprehensive protection.