Google Cloud Professional Cloud Security Engineer — Question 307

Last week, a company deployed a new App Engine application that writes logs to BigQuery. No other workloads are running in the project. You need to validate that all data written to BigQuery was done using the App Engine Default Service Account.
What should you do?

Answer options

• A. 1. Use Cloud Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Hide Matching Entries. 4. Make sure the resulting list is empty.
• B. 1. Use Cloud Logging and filter on BigQuery Insert Jobs. 2. Click on the email address in line with the App Engine Default Service Account in the authentication field. 3. Click Show Matching Entries. 4. Make sure the resulting list is empty.
• C. 1. In BigQuery, select the related dataset. 2. Make sure that the App Engine Default Service Account is the only account that can write to the dataset.
• D. 1. Go to the Identity and Access Management (IAM) section of the project. 2. Validate that the App Engine Default Service Account is the only account that has a role that can write to BigQuery.

Correct answer: A

Explanation

The correct answer is A because using Cloud Logging to filter for BigQuery Insert Jobs and hiding matching entries helps ensure that no other service accounts have written data. Option B suggests showing matching entries, which would contradict the requirement to confirm that only the App Engine Default Service Account wrote the data. Options C and D focus on permissions and dataset access rather than validating log entries, which is not the primary requirement of the question.