It should be A. Data access log are not enabled by default due to the fact that it incurs costs. So you need to enable it first. And then you can filter it in the log viewer

A. Turn on Data Access Logs for the buckets they want to audit, and then build a query in the log viewer that filters on Cloud Storage.

A. Turn on Data Access Logs for the buckets they want to audit, and then build a query in the log viewer that filters on Cloud Storage.

IF Data Access Logs had ALREADY been enabled, then option B would be a good answer Reason - (1) best practice for cloud auditing - enable Admin Activity audit logs, then set IAM permissions (ref: https://cloud.google.com/logging/docs/audit/best-practices) and (2) Create a Data Studio (now renamed to Looker) report on Admin Activity Audit Logs (ref: https://cloud.google.com/looker/docs/looker-core-audit-logging) But you cannot assume from the question that Data Access Logs are enabled (NB: they are NOT by default)

A is the right answer as first we need to turn on the data access logs

I have doubts about the answer A, the auditor wants to see the audit logs, and in this answer it is not explicit if he will be allowed to see it.

A is the correct answer, Since the auditor wants to know who accessed the cloud storage data, we need data acces logs for cloud storage. Types of audit logs Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization: Admin Activity audit logs Data Access audit logs System Event audit logs Policy Denied audit logs ***Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. https://cloud.google.com/logging/docs/audit#types

A is right

question says auditor is most interested in who accessED data in Cloud Storage. im not sure how auditoring is done for those who answered A but this means they want the logs for past users who accessed the data from a sepecified time. Turning on the feature now is kind of too late. poorly written question and answers. No point in an auditor coming in and giving the company all the exact questions they are going to ask and come back and ask them in a few months time. A seems like the better choices though

If it's A then how will we assign the permission for the auditor to view the logs? I had chosen option A on the first place, but later changed it considering that the auditor won't have the access to view the logs.

Based on how I read the question- We want Data Access log, not Admin Activity Audit Logs.

Data access log are not enabled by default due to the fact that it incurs costs. So you need to enable it first. And then you can filter it in the log viewer

https://cloud.google.com/logging/docs/audit#data-access Cloud Storage: When Cloud Storage usage logs are enabled, Cloud Storage writes usage data to the Cloud Storage bucket, which generates Data Access audit logs for the bucket. The generated Data Access audit log has its caller identity redacted.

The majority vote here is A, despite some confusion around the wording of the question. I tend to agree because it's the solution that most closely reflects the requirements of the question (buckets, cloud storage).

A. I could not find a way to enable audit logs in specific buckets, only on the whole storage level: https://cloud.google.com/logging/docs/audit/services B. Admin activity audit logs cover admin actions, such as metada or config changes: https://cloud.google.com/logging/docs/audit#admin-activity C. Cloud monitoring is not for auditing: https://cloud.google.com/monitoring D. Again, Admin Activity Audit Logs should not be used to audit data access, specially from bukets. My conclusion: all these answers are wrong. My assumption: A is badly written. Specific buckets were not to be mentioned. I Vote A, but i think this Q&A is messed up. Maybe a correction? or deletion.

I choose D. reason is here: Cloud Audit Logs generates the following audit logs for operations in Cloud Storage: Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object. Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs: ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object. DATA_READ: Entries for operations that read an object. DATA_WRITE: Entries for operations that create or modify an object.

Also A because it's the only one that mention DATA ACCESS LOGS, which is the one that Logs objects access , t Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object. Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs: ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object. DATA_READ: Entries for operations that read an object. DATA_WRITE: Entries for operations that create or modify an object. https://cloud.google.com/storage/docs/audit-logging