Secure Cloud Storage | Recording Data Requests | Compliance with Legal Requirements

Recording Data Requests for Sensitive Information in Cloud Storage

Question

You are storing sensitive information in a Cloud Storage bucket.

For legal reasons, you need to be able to record all requests that read any of the stored data.

You want to make sure you comply with these requirements.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

https://cloud.google.com/storage/docs/audit-logs

The correct answer for the scenario described is D. Enable Data Access audit logs for the Cloud Storage API.

Explanation:

Data access audit logs provide a way to track and record all actions that access or modify data in a Google Cloud Storage bucket. By enabling these audit logs, you can record all requests that read sensitive information stored in a bucket, as required by the legal requirements in the scenario.

Identity Aware Proxy API (option A) is a service that allows you to manage access to your applications running on Google Cloud Platform, but it does not provide logging or auditing capabilities.

Data Loss Prevention API (option B) allows you to scan and classify data stored in a bucket to detect and prevent the disclosure of sensitive data. However, it does not provide logging or auditing capabilities.

Allowing only a single Service Account access to read the data (option C) is a good security practice, but it does not provide auditing capabilities to track all requests that access the sensitive data.

Therefore, the best option is to enable data access audit logs for the Cloud Storage API (option D) to meet the legal requirements and record all requests that read the sensitive information.