Description:
- See who did what where and when
- Different from a typical logs
- protoPayload field which contains an audit log object
- has principalEmail
Admin activity audit logs:
- Log entries for API calls or other administrative actions that modify the configuration or metadata of resources.
- ex: create VM or change IAM role
System event audit logs:
- Log entries for Google Cloud administrative actions that modify the configuration of resources.
- Generated by Google Cloud systems, not user-driven
- Retained for 400 days
Data access audit logs:
- API calls that read the configuration or metadata of resources.
- Also, user driven API calls that create, modify, or read user provided resource data.
- Don’t record the data access operations on resources that:
- are publicly shared.
- can be accessed without logging into Google Cloud.
- Disabled by default, enabled retention is 30 days
- only bq is enabled by default?
- Three types of data access audit log:
- Admin read records operation that read metadata configuration information.
- For example, you looked at the configuration (describe) for your bucket.
- Data read records operations that read user provided data.
- For example, you listed files, and then downloaded one from the Cloud storage.
- Data write records operation that right user provided data.
- For example, you created a new cloud storage file.
- Can also exempt specific users
- Quite expensive, 50 cents per gb of audit log
Policy denied access log:
- Policy denied access log records when access to a user or service account is denied by Google Cloud Service.
- Generated by default and your Google Cloud project is charged for the log storage.
- Can’t disable policy denied audit logs.