A company is backing up application logs to a Cloud Storage bucket shared with both analysts and the administrator.
Analysts should only have access to logs that do not contain any personally identifiable information (PII)
Log files containing PII should be stored in another bucket that is only accessible by the administrator.
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
The scenario described in the question is that a company is backing up application logs to a Cloud Storage bucket that is shared with both analysts and the administrator. The requirement is that analysts should only have access to logs that do not contain any personally identifiable information (PII), and log files containing PII should be stored in another bucket that is only accessible by the administrator.
To fulfill this requirement, there are different solutions, but only one of them is the best. Let's analyze each option to see which one is the most appropriate.
Option A suggests using Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, the function should move the file to a Cloud Storage bucket that is only accessible by the administrator. This solution is a good one because it automates the process of moving PII files to a separate bucket, which ensures that analysts will not have access to those files. The only concern with this solution is that it requires additional setup and configuration, which could be time-consuming.
Option B proposes uploading the logs to both the shared bucket and the bucket only accessible by the administrator. A job trigger using the Cloud Data Loss Prevention API should be created, and the trigger should be configured to delete any files from the shared bucket that contain PII. This solution is not optimal because it requires duplicating the files and additional storage, which could increase costs. Moreover, deleting files from the shared bucket might cause issues for analysts who rely on those logs for their work.
Option C recommends configuring Object Lifecycle Management on the bucket shared with both the analysts and the administrator to delete objects that contain any PII. This solution is not the best because it doesn't provide the required security level. It only deletes the files containing PII, but it doesn't move them to a separate bucket accessible only by the administrator.
Option D proposes configuring a Cloud Storage Trigger that is only triggered when PII data is uploaded to the shared bucket. The trigger should be captured by a Cloud Function that deletes such files. This solution is not optimal because it doesn't move the PII files to a separate bucket accessible only by the administrator.
Therefore, the best option to fulfill the requirement is Option A, which suggests using Cloud Pub/Sub and Cloud Functions to trigger a Data Loss Prevention scan every time a file is uploaded to the shared bucket. If the scan detects PII, the function should move the file to a Cloud Storage bucket that is only accessible by the administrator. This solution automates the process of moving PII files to a separate bucket, which ensures that analysts will not have access to those files, and it doesn't require duplicating files or deleting files from the shared bucket.