Table of contents
1.
Introduction
2.
Types of audit logs
2.1.
Admin Activity audit logs
2.2.
Data Access audit logs
2.3.
System Event audit logs
2.4.
Policy Denied audit logs
3.
Configure Data Access audit logs
3.1.
Configuration overview
3.2.
Service-specific configurations
3.3.
Google Cloud resource configurations
4.
Google Cloud services with audit logs 
5.
Split audit log entries 
6.
Best practices for Cloud Audit Logs 
6.1.
Control access to logs
6.2.
Set IAM permissions
6.3.
Configure log views
6.4.
Set log field-level access controls
7.
Frequently Asked Questions
7.1.
What are audit logs used for?
7.2.
What is Google Cloud Platform?
7.3.
What are the GCP cloud storage libraries and tools?
8.
Conclusion
Last Updated: Mar 27, 2024

Cloud Audit logs in GCP

Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Google Cloud services document audit logs that record administrative activities and accesses within your resources. Audit logs assist you in answering "where, who did what, and when?" within your Google Cloud resources with the equal level of transparency as in on-premises environments. Enabling audit logs helps your auditing, security, and compliance entities monitor Google Cloud data and systems for external data misuse or possible vulnerabilities.

Types of audit logs

Cloud Audit Logs gives the following audit logs for each folder, Cloud project, and organization:

Admin Activity audit logs

Admin Activity audit logs have log entries for API calls or other actions that modify the metadata or configuration of resources. E.g., these logs record when users create VM instances or modify Access and Identity Management permissions.

Admin Activity audit logs are ever written; you cannot configure, disable, or exclude them. Even if you disable the Cloud Logging API, the Admin Activity audit logs are always generated.

Data Access audit logs

Data Access audit logs have API calls that read the configuration or metadata of resources and user-driven API calls that modify, create, or read user-provided resource data.

Publicly available resources with the Identity and Access Management policies don't generate audit logs. You can access resources without logging into a Google Cloud, Google Workspace, Cloud Identity, or Drive Enterprise account do not generate audit logs. This helps protect information and end-user identities.

System Event audit logs

System Event audit logs have log entries for Google Cloud actions that modify the configuration of resources. Google systems generate System Event audit logs; they are not driven by direct user action.

System Event audit logs are written; you cannot exclude, disable, or configure them.

Policy Denied audit logs

Policy Denied audit logs are recorded when a Google Cloud service does not give access to a  service or user account due of a security policy violation. The security policies are maintained by VPC Service Controls, which offers the Policy Denied audit logs to Cloud Logging.

Policy Denied audit logs are set by default, and your Cloud project is charged for the logs storage. You cannot disable Policy Denied audit logs, but you can use exclusion filters to prevent Policy Denied audit logs from being stored and ingested in Cloud Logging.

Configure Data Access audit logs

Configuration overview

You can configure and enable certain aspects of Data Access audit logs for your Google Cloud resources and services:

  • Organizations: You can configure and enable Data Access audit logs in an organization, which applies to all the new Cloud projects and existing folders.
  • Folders: You can configure and enable data Access audit logs in a folder, which applies to all the new Cloud projects in the folder and existing. You cannot disable a Data Access audit log enabled in the project's parent organization.
  • Billing accounts: Utilize the Google Cloud CLI., to configure Data Access audit logs for billing accounts. 
  • Default configurations: You can select a default Data Access audit log configuration in a folder, organization, or Cloud project that pertains to future Google Cloud services that begin to produce Data Access audit logs. 
  • Services: You can select the services whose audit logs you want to receive. For e.g., you might want audit logs from Compute Engine but not Cloud SQL. 
  • Projects: We can configure Data Access audit logs for a single Cloud project but you cannot disable a Data Access audit log enabled in a folder or parent organization.
  • Log types: You can select which types of operations are recorded in your Data Access audit logs. There are 3 Data Access audit log types:
    • ADMIN_READ: Records operations that read configuration information or metadata.
    • DATA_READ: Records operations that can read user-provided data.
    • DATA_WRITE: Records operations that can write user-provided data. E.g., Cloud DNS writes all 3 types of Data Access logs, but you may configure the Data Access audit logs to record only the DATA_WRITE functions.
  • Exempted principals: You can prevent specific principals from recording their data access. For e.g., you can exempt your internal testing accounts from recording their Cloud Debugger operations.

Service-specific configurations

Suppose there is both a Google Cloud service-wide (allServices) configuration and a configuration for a specific Google Cloud service. In that case, the resulting configuration for the service is the union of the 2 configurations. In other words:

  • You can enable Data Access audit logs for specific Google Cloud services. Still, you can't disable Data Access audit logs for Google Cloud services enabled in the broader configuration.
  • You can add different kinds of information to a Google Cloud service's Data Access audit log, but you can't remove the information specified in the broader configuration.
  • Data Access audit log configuration is automatically inherited from your default audit log configuration for BigQuery Data Transfer Service.
  • You can include principals to exemption lists, but you cannot remove them from exemption lists in the broader configuration.

Google Cloud resource configurations

You can configure Data Access audit logs for folders, Cloud projects, billing accounts, and organizations. If there is a configuration for a Google Cloud service across the hierarchy, the resulting configuration is the union of the configurations.

  • You can allow logs for a Google Cloud service, but you cannot disable logs for a Google Cloud service that is allowed in a parent organization or folder.
  • You can allow kinds of information, but you cannot disable kinds of information that are enabled in a parent organization or folder.
  • You can include principals in exemption lists, but you cannot remove them from exemption lists in a folder or parent organization.
  • At a folder level or parent organization, you can allow Data Access audit logs for a Cloud project within that folder or organization, even if Data Access audit logs have not been configured in the Cloud project.

Google Cloud services with audit logs 

The below image provides information about the Google Cloud and Google Workspace services that write audit logs.

In the following tables, GA indicates that a log type is Generally Available for a service; Beta or Preview indicates that a log type is available but might be changed in backward-incompatible ways and isn't subject to any SLA or deprecation policy. 

To indicate that a log type is not available, n/a (not applicable) is used.

Google Cloud Logs and Services

Split audit log entries 

When a single audit log entry surpasses the size limit, Cloud Logging helps split that entry and distributes the data present in the original audit log entry across several entries. Users might need to reassemble the split audit logs as the individual split log entries do not contain all the fields from the original audit log.

Best practices for Cloud Audit Logs 

Control access to logs

Due to the sensitivity of audit logging data, it is essential to configure the appropriate access controls for your organization's users.

Depending on your usage requirements and compliance, set these access controls as follows:

  • Set IAM permissions
  • Configure log views
  • Set log entry field-level access control

Set IAM permissions

IAM permissions and roles determine users' ability to access audit logs data in the Logs Explore, Logging API, and the Google cloud CLI. Use IAM to prevent unwanted access to other resources and grant granular access to specific Google Cloud buckets.

The permission-based roles you grant to your users depend on their auditing-related functions within your organization. For e.g., you might grant your CTO broad administrative permissions, whereas your developer team members might require log-viewing permissions.

When setting IAM permissions, use the security principle of least privilege, so you grant users only the required access to your resources:

  • Grant essential users minimal and correct permissions.
  • Remove all nonessential users.

Configure log views

All logs, are ingested by Logging into storage containers known as buckets. Log views allows you to direct who has access to the logs within your log buckets.

Because log buckets can have logs from multiple Cloud projects, you might have to control which Cloud projects different users can view logs from, create custom log views, which provide you with more granular access control for those buckets.

Set log field-level access controls

Field-level access controls allows you to you hide individual LogEntry fields from users of a Google Cloud project, providing a more granular way to control the log data a user can access. Compared to logs views, which can hide the entire LogEntry, field-level access helps you to controls hide individual fields of the country. For e.g., you might want to redact external user PII from most of your organization's users, such as an email address contained in the log entry payload.

Frequently Asked Questions

What are audit logs used for?

Audit logs are used to record the occurrence of an event, the time at which it occurred, the responsible user or service and the impacted entity

What is Google Cloud Platform?

Google Cloud Platform is a Google cloud platform that allows users to access cloud systems and computing services. GCP gives a wide range of cloud computing services in the storage, compute, database, migration, and networking domains.

What are the GCP cloud storage libraries and tools?

Google Cloud Platform Console, which performs primary object and bucket operations.

GustilCommand-line Tool, which gives a command line interface for cloud storage. Cloud Storage Client Libraries provide programming support for various languages such as Java, Ruby, and Python.

Conclusion

I hope this article gave you insights of the cloud audit logs in google cloud platform.

Refer to our guided paths on Coding Ninjas Studio to learn more about DSA, Competitive Programming, System Design, JavaScript, etc. Enroll in our courses, refer to the mock test and problems available, interview puzzles, and look at the interview bundle and interview experiences for placement preparations.

We hope this blog has helped you increase your knowledge regarding AWS Step functions, and if you liked this blog, check other links. Do upvote our blog to help other ninjas grow. Happy Coding!"

Live masterclass