Skip to main content

What is Audit Log in Google Cloud?

In this article, we will discuss the Google Cloud audit logs, a GUI-based feature that can audit all activities of the Google Cloud Platform. So in this article we will discuss the types of audit logs, procedure to enable and configure audit logs, and about reading audit logs.

What are Google Cloud Audit Logs?

Google Cloud audit logs are thus the means by which certain activities on the GCP can be monitored and audited. They offer the account of all API calls, the administration actions taken and all the other occurrences of the platform. Audit LOG DATA is a critical aspect of the security, audit and compliance function since it facilitates identification of who did what, where and when.

In simple words, we can say that Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources. Audit logs help you answer “who did what, where, and when?” within your Google Cloud resources with the same level of transparency as in on-premises environments. Enabling audit logs helps your security, auditing, and compliance entities monitor Google Cloud data and systems for possible vulnerabilities or external data misuse.

Types of Audit Logs

Types of Audit Logs in GCP
Types of Audit Logs in GCP

GCP provides four types of audit logs:

1- Admin Activity audit logs

Admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.

Admin Activity audit logs are always written; you can’t configure, exclude, or disable them. Even if you disable the Cloud Logging API, Admin Activity audit logs are still generated.

For a list of services that write Admin Activity audit logs and detailed information about which activities generate those logs, see Google Cloud services with audit logs.

2- Data Access audit logs

Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.

Publicly available resources that have the Identity and Access Management policies allAuthenticatedUsers or allUsers don’t generate audit logs. Resources that can be accessed without logging into a Google Cloud, Google Workspace, Cloud Identity, or Drive Enterprise account don’t generate audit logs. This helps protect end-user identities and information.

Data Access audit logs—except for BigQuery Data Access audit logs—are disabled by default because audit logs can be quite large. If you want Data Access audit logs to be written for Google Cloud services other than BigQuery, you must explicitly enable them. Enabling the logs might result in your Google Cloud project being charged for the additional logs usage. For instructions on enabling and configuring Data Access audit logs, see Enable Data Access audit logs.

Data Access audit logs are stored in the _Default log bucket unless you’ve routed them elsewhere.

3- System Event audit logs

System Event audit logs contain log entries for Google Cloud actions that modify the configuration of resources. System Event audit logs are generated by Google systems; they aren’t driven by direct user action.

System Event audit logs are always written; you can’t configure, exclude, or disable them.

4- Policy Denied audit logs

Policy Denied audit logs are recorded when a Google Cloud service denies access to a user or service account because of a security policy violation.

Policy Denied audit logs are generated by default and your Google Cloud project is charged for the logs storage. You can’t disable Policy Denied audit logs, but you can use exclusion filters to prevent Policy Denied audit logs from being stored in Cloud Logging.

Enabling and Configuring Data Access Audit Logs

To enable data access audit logs, follow these steps:

1- Go to the IAM & Admin page in the GCP console.

Navigating to IAM and Admin Page
Navigating to IAM and Admin Page

2- Go to “Audit logs” and then choose the service, with which you want to enable data access audit logs.

Navigating to Audit Logs
Navigating to Audit Logs

3- Select the check mark buttons for the types of data access logs that you wish to allow (For example, Admin read, Data read, Data Write).

Select the check mark buttons for the types of data access logs
Select the check mark buttons for the types of data access logs
Provide exempted principals
Provide exempted principals

4- To save your changes click on the button “Save”.

Viewing and Analyzing Audit Logs

There are several ways to view and analyze audit logs in GCP:

  1. Logs Explorer: You are to open the Logs Viewer page and choose which logs to view by project, storage, and so on.
  2. Activity Page: Click over the Activity in the left menu in the GCP console and you can filter the logs by type, user or resource.
  3. Cloud Console: In order to start, go to the Cloud Console and then to the “Logging” page.

 

0
    0
    Your Cart
    Your cart is emptyReturn to Courses