Audit Logs
Google Cloud Platform (GCP) Associate Cloud Engineer (ACE) certification study notes, this guide will help you with quick revision before the exam. it can use as study notes for your preparation.
Dashboard Other Certification NotesAudit Logs
- Google Cloud services write audit logs that record administrative activities and accesses within your Google Cloud resources
- Cloud Audit Logs maintain three audit logs: Admin Activity logs, Data Access logs, and System Event logs
Log Types
- Admin Activity audit logs:
- Contains log entries for API calls or other administrative actions that modify the configuration or metadata of resources
- We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs
- Admin Activity audit logs are always written and we can’t configure or disable them
- Data Access audit logs:
- Contains API calls that read the configuration or metadata of resources, including user-driven API calls that create, modify, or read user-provided resource data
- We must have the IAM roles Logging/Private Logs Viewer or Project/Owner to view these logs
- We must explicitly enable Data Access audit logs to be written. They are disabled by default because they are large
- System Event audit logs:
- Contains log entries for administrative actions taken by Google Cloud that modify the configuration of resources
- We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs
- System Event audit logs are always written so we can’t configure or disable them
- There is no additional charge for our System Event audit logs
- Policy Denied audit logs:
- Contains logs when a Google Cloud service denies access to a user or service account triggered by a security policy violation.
- We must have the IAM role Logging/Logs Viewer or Project/Viewer to view these logs.
- Policy Denied audit logs are generated by default. Our cloud project is charged for the logs storage
Exporting Audit Logs
- Log entries received by Logging can be exported to Cloud Storage buckets, BigQuery datasets, and Pub/Sub topics
- To export audit log entries outside of Logging:
- Create a logs sink
- Give the sink a query that specifies the audit log types we want to export
- If we want to export audit log entries for a Google Cloud organization, folder, or billing account, we should review Aggregated sinks
Pricing
- All features of Cloud Logging are free to use, and the charge is only applicable for ingested log volume over the free allotment
