You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Audit logs provide a complete record of who did what, when, and where on GCP. They are essential for security monitoring, incident investigation, and compliance. Access Transparency goes further by showing you when Google employees access your data.
GCP produces four types of audit logs:
| Log Type | Content | Enabled By Default? | Cost |
|---|---|---|---|
| Admin Activity | Resource configuration changes (create, update, delete) | Yes | Free |
| Data Access | Reads of resource data and metadata | No (must enable) | Charged |
| System Event | Google-initiated system actions (live migration, maintenance) | Yes | Free |
| Policy Denied | Requests denied by VPC Service Controls or organisation policies | Yes | Free |
Admin Activity logs record all write operations — creating, modifying, and deleting resources:
{
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
"resource": {
"type": "gce_instance",
"labels": {
"instance_id": "1234567890",
"zone": "europe-west2-a"
}
},
"protoPayload": {
"methodName": "v1.compute.instances.delete",
"authenticationInfo": {
"principalEmail": "alice@example.com"
},
"requestMetadata": {
"callerIp": "203.0.113.45"
}
},
"timestamp": "2024-03-15T14:30:00Z"
}
| Field | Value |
|---|---|
| Who | principalEmail — the authenticated user or service account |
| What | methodName — the API method called |
| When | timestamp — time of the action |
| Where | resource — the affected resource |
| From | callerIp — the source IP address |
# View recent admin activity logs
gcloud logging read "logName:cloudaudit.googleapis.com%2Factivity" \
--project=my-project \
--limit=10 \
--format=json
# Filter by a specific user
gcloud logging read \
'logName:"cloudaudit.googleapis.com/activity" AND protoPayload.authenticationInfo.principalEmail="alice@example.com"' \
--project=my-project
# Filter by resource type
gcloud logging read \
'logName:"cloudaudit.googleapis.com/activity" AND resource.type="gce_instance"' \
--project=my-project
Data Access logs record read operations — viewing, listing, and querying data:
Data Access logs are not enabled by default because they generate high volume and incur costs.
# Enable via the Console:
# IAM & Admin → Audit Logs → Select a service → Enable Data Read / Data Write
# Enable via gcloud (set the audit log config on the project):
gcloud projects get-iam-policy my-project --format=json > policy.json
# Edit policy.json to add auditLogConfigs
gcloud projects set-iam-policy my-project policy.json
{
"auditConfigs": [
{
"service": "storage.googleapis.com",
"auditLogConfigs": [
{ "logType": "DATA_READ" },
{ "logType": "DATA_WRITE" }
]
},
{
"service": "bigquery.googleapis.com",
"auditLogConfigs": [
{ "logType": "DATA_READ" }
]
}
]
}
| Scenario | Enable For |
|---|---|
| Regulatory compliance (HIPAA, PCI) | All services with sensitive data |
| Security monitoring | Cloud Storage, BigQuery, Secret Manager |
| Forensic readiness | Critical production services |
| Cost-sensitive environments | Only specific, high-risk services |
System Event logs record actions taken by Google systems — not by users:
These logs are always enabled and free.
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.