Easy1 markMultiple Choice

Domain 3: Designing for Security and ComplianceCloud Audit LogsComplianceBigQuery

This question is part of a case study — click to read the full scenario(Case 11)

CASE STUDY: HealthData Corp

Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:

CEO: "Trust is our product. Zero tolerance for breaches."
CFO: "Storage costs growing exponentially. Need lifecycle management."
CISO: "Zero-trust architecture, end-to-end encryption."
Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.

How should you design the network security architecture to prevent data exfiltration, even if an employee's credentials are compromised?

View full case study page →

GCP PCA · Question 15 · Domain 3: Designing for Security and Compliance

CASE STUDY: HealthData Corp

Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:

CEO: "Trust is our product. Zero tolerance for breaches."

CFO: "Storage costs growing exponentially. Need lifecycle management."

CISO: "Zero-trust architecture, end-to-end encryption."
Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.

To meet SOC 2 and HIPAA compliance, you must retain all administrative activity and data access logs for 3 years. How should you configure this?

Answer options:

Cloud Logging retains all logs for 3 years by default, so no action is needed.

Enable Data Access logs in Cloud Audit Logs, and create a Log Sink to route all audit logs to a BigQuery dataset with a 3-year retention policy.

Install the Ops Agent on all VMs to capture system logs and send them to Cloud Storage.

Export logs manually every 30 days to a local on-premises server.

How to approach this question

Identify that Data Access logs must be explicitly enabled, and long-term retention requires routing logs to a storage service like BigQuery or GCS.

Full Answer

B.Enable Data Access logs in Cloud Audit Logs, and create a Log Sink to route all audit logs to a BigQuery dataset with a 3-year retention policy.✓ Correct

Enable Data Access logs in Cloud Audit Logs, and create a Log Sink to route all audit logs to a BigQuery dataset with a 3-year retention policy.

By default, Google Cloud Audit Logs only record Admin Activity (enabled by default, 400-day retention). For HIPAA/SOC 2, you must explicitly enable Data Access logs (which track who read/wrote data). Because the retention requirement is 3 years, you must create a Log Router Sink to export these logs to a long-term storage solution like BigQuery, which also allows security teams to run SQL queries on the audit data.

Common mistakes

Assuming Cloud Logging keeps all logs indefinitely (A).

Question 14 All questions Question 16

Practice the full GCP Professional Cloud Architect Practice Exam 4

50 questions · hints · full answers · grading

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Professional Cloud Architect Practice Exam 4

More questions from this exam