Google Cloud Professional Cloud Security Engineer — Question 93

You are backing up application logs to a shared Cloud Storage bucket that is accessible to both the administrator and analysts. Analysts should not have access to logs that contain any personally identifiable information (PII). Log files containing PII should be stored in another bucket that is only accessible to the administrator. What should you do?

Answer options

• A. Upload the logs to both the shared bucket and the bucket with PII that is only accessible to the administrator. Use the Cloud Data Loss Prevention API to create a job trigger. Configure the trigger to delete any files that contain PII from the shared bucket.
• B. On the shared bucket, configure Object Lifecycle Management to delete objects that contain PII.
• C. On the shared bucket, configure a Cloud Storage trigger that is only triggered when PII is uploaded. Use Cloud Functions to capture the trigger and delete the files that contain PII.
• D. Use Pub/Sub and Cloud Functions to trigger a Cloud Data Loss Prevention scan every time a file is uploaded to the administrator's bucket. If the scan does not detect PII, have the function move the objects into the shared Cloud Storage bucket.

Correct answer: D

Explanation

The correct answer is D, as it allows for an automated scanning process that ensures only non-PII files are moved to the shared bucket, preserving data privacy. Option A is incorrect because it involves keeping PII in the shared bucket temporarily, which violates access policies. Option B does not prevent PII from being uploaded to the shared bucket initially, and option C would still allow PII to be uploaded before it is deleted, which is not compliant with the requirement.