Google Cloud Audit Logs
Google Cloud Audit Logs provide tracking and auditing of activities within Google Cloud resources, ensuring transparency and security.
| Category | Security Monitoring & Logging |
|---|---|
| This page updated | a month ago |
| Pricing Details | Pricing varies based on log volume and retention settings. |
| Target Audience | Cloud administrators, security teams, and compliance officers. |
Google Cloud Audit Logs address the critical security and operational challenge of tracking and auditing activities within Google Cloud resources, providing transparency into who performed what actions, where, and when.
The technical architecture of Google Cloud Audit Logs revolves around the collection and storage of log entries in log buckets within the Cloud Logging service. These logs are categorized into several types, including Admin Activity, Data Access, System Event, and Policy Denied logs. Admin Activity logs, which are enabled by default, capture API calls and administrative actions that modify resource metadata. Data Access logs, which are optional and incur costs, track user interactions with data, such as creating, changing, or reading user-provided data. System Event logs, also enabled by default and cost-free, record changes to resource configurations triggered by Google systems. Policy Denied logs are generated when a Google Cloud service denies access due to a security policy violation and are enabled by default but may incur costs.
Operationally, these logs can be accessed and queried through the Logs Explorer in the Google Cloud Console, the Google Cloud CLI, or the Logging API. The Logs Explorer allows for filtering and querying log entries based on specific resource types and log names. For example, you can use queries like logName:"cloudaudit.googleapis.com" and specify the protoPayload.@type to filter log entries. The gcloud CLI provides a command-line interface to read log entries at the project, folder, or organization level.
Key operational considerations include the storage and retention of logs, which can be routed to additional destinations such as BigQuery, Pub/Sub topics, or Cloud Storage buckets using sinks. Logs stored in the default log bucket are retained for 400 days, and custom retention periods can be configured. However, extensive logging, especially Data Access logs, can result in significant storage costs and may impact query performance.
Technically, each log entry is structured as a LogEntry object, containing fields such as logName, resource, timeStamp, and protoPayload, which holds the audited information. This structure allows for precise filtering and analysis of log data, enabling detailed audits and security investigations.