SkarpChapter 24 of 26
Security Controls, Audit Logs, and Policy Enforcement
Tie together IAM, audit logs, and organization policies to enforce security requirements and trace actions across your Google Cloud environment.
Big Picture: Tying IAM, Logs, and Policies Together
Three Security Pillars
You will connect three pillars of Google Cloud security: IAM, audit logs, and organization policies. Together they prevent bad actions and let you prove what happened.
IAM Refresher
Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource. Here you add logs and policies on top.
What You Must Do
For the exam, you must know how to pick the right log type, find actions in Cloud Logging, understand org policy constraints, and secure key data services with IAM and policies.
Your On-Call Role
Imagine you are on call. Someone asks who deleted a bucket, or why external IPs are blocked. You will use IAM, logs, and org policies to answer these questions.
Understanding Cloud Logging Audit Logs
Audit Logs as Forensics
Audit logs in Cloud Logging are your forensic record of activity. Managed services write entries automatically; you do not need to enable basic logging.
Admin Activity Logs
Admin Activity logs record configuration changes like creating VMs or changing IAM. They are always on and free, and are the first place to look for "who changed what".
Data Access & System Events
Data Access logs capture reads and writes of user data; some require explicit enablement. System Event logs record system-level actions like auto-restarts.
Policy Denied Logs
Policy Denied logs show when an action is blocked by an organization policy. They are key to explaining mysterious permission denials.
Key Fields in Entries
Important fields include principalEmail (who), serviceName and methodName (what API), resource labels (which resource), and timestamp (when).
Hands-On: Locating and Filtering Audit Logs
Scenario: Deleted Bucket
A bucket `project-data-logs` was deleted. You must find who deleted it and when using Cloud Logging, just like you might in an exam scenario.
Navigating Logs Explorer
In the console, open Cloud Logging → Logs Explorer. Select the correct project, then choose the log name `cloudaudit.googleapis.com/activity`.
Filtering by Resource and Method
Filter by resource type GCS Bucket, then add query lines like methodName="storage.buckets.delete" and bucket_name="project-data-logs".
Reading the Entry
Run the query and open the log entry. Check principalEmail for who acted and timestamp for when the deletion occurred.
Exam Tips
For config changes, use Admin Activity logs. For data reads/writes, use Data Access logs, which may need to be enabled first.
Organization Policies and Constraints
What is an Org Policy?
Organization policies enforce central security rules across folders and projects. They are evaluated whenever someone tries a restricted action.
Constraints vs Policies
A constraint is a predefined rule such as vmExternalIpAccess. A policy is your configuration of that constraint on an org, folder, or project.
Inheritance
Policies inherit down the resource hierarchy. Projects inherit from folders and the org unless explicitly overridden.
Common Security Constraints
Examples: gcp.resourceLocations, compute.vmExternalIpAccess, gcp.restrictServiceUsage, and gcp.restrictCmekCryptoKeyProjects.
Block vs Allow
Policies can be allow lists, deny lists, or more complex modes, depending on the constraint. Violations create Policy Denied log entries.
Configuring and Evaluating an Organization Policy
Scenario: Block External IPs
Requirement: No VM in the organization should have an external IP, except in one dedicated bastion project.
Org-Level Deny
At the org level, edit constraint constraints/compute.vmExternalIpAccess and configure it to deny external IPs by default.
Project-Level Exception
In the bastion-prod project, override the inherited policy for the same constraint to allow external IPs.
Resulting Behavior
All projects are blocked from using external IPs except bastion-prod. Attempts in other projects create Policy Denied log entries.
Exam Signal
Organization policies are for global guardrails. IAM answers "who can"; org policy answers "what is allowed at all".
IAM Conditions and Fine-Grained Access Control
What are IAM Conditions?
IAM Conditions let you add context-aware rules to IAM bindings, evaluated at request time using a CEL expression.
Basic Binding Refresher
A binding has a member, role, and resource. IAM Conditions add a fourth piece: a condition expression that must be true for access.
Time-Bound Access
You can use request.time in a condition to create temporary access that automatically expires after a specific timestamp.
Example Expression
Example: expression "request.time < timestamp('2026-07-01T00:00:00Z')" grants access only until July 1, 2026.
Exam Focus
On the exam, pick IAM Conditions for time-limited or attribute-based access rather than manual role removal or custom scripts.
Securing Cloud Storage, Cloud SQL, and BigQuery
Cloud Storage Security
Use bucket-level IAM with least privilege, enable uniform bucket-level access, and enforce Public Access Prevention to avoid public buckets.
Cloud Storage Logs
Admin Activity logs show bucket changes; Data Access logs can show object reads and writes when enabled for audit purposes.
Cloud SQL Security
Use roles like cloudsql.admin for instance control, prefer private IP connectivity, and secure database users with TLS.
BigQuery Security
Apply dataset-level IAM roles, avoid broad bigquery.admin, and use authorized views or row-level security for sensitive data.
Org-Wide Protection
To prevent public buckets org-wide, use a public access prevention organization policy instead of manual per-bucket checks.
Thought Exercise: Choosing the Right Control
Work through these mini-scenarios. For each, decide which tool is the primary control: IAM, organization policy, or audit logs.
- Scenario A: Your security team wants to ensure that no resources are created outside the `europe-west` and `europe-central` regions anywhere in the organization.
- Think: Is this about who can act, or where resources can exist? Which constraint might help?
- Scenario B: A contractor should have temporary read access to a BigQuery dataset for the next two weeks only.
- Think: Do you want a one-time grant you must remember to remove, or an automatically expiring condition?
- Scenario C: A manager asks you to prove who modified a firewall rule that opened port 22 to the internet yesterday.
- Think: Is this about preventing future changes, or reconstructing past events?
- Scenario D: You want to block creation of new Cloud Storage buckets that are publicly accessible across all projects.
- Think: Is this a project-by-project IAM decision, or a policy about allowed configurations?
Pause and answer for yourself:
- Scenario A:
- Scenario B:
- Scenario C:
- Scenario D:
Then check:
- A: Organization policy (`gcp.resourceLocations`).
- B: IAM on the dataset with an IAM Condition using `request.time`.
- C: Audit logs (Admin Activity for firewall changes).
- D: Organization policy / public access prevention constraint on Storage.
As you do practice questions later in Skarp, try to classify each security option you see into these buckets: preventive IAM, preventive org policy, or detective logging.
Quiz: Audit Logs and Policies
Check your understanding of logs and org policies.
You are troubleshooting why developers cannot create new VM instances with external IP addresses in any project. They receive a generic permission denied error, even though they have the Compute Admin role. What is the MOST likely cause, and where do you confirm it?
- A project-level IAM policy denies the compute.instances.create permission; check the project's IAM page.
- An organization policy constraint like constraints/compute.vmExternalIpAccess is blocking external IPs; check Organization policies and Policy Denied audit logs.
- VPC firewall rules are blocking outbound traffic; check VPC firewall logs.
- Cloud Monitoring alerting policies are misconfigured; check the Monitoring alerts page.
Show Answer
Answer: B) An organization policy constraint like constraints/compute.vmExternalIpAccess is blocking external IPs; check Organization policies and Policy Denied audit logs.
Compute Admin IAM gives permission to create instances, so if they still cannot attach external IPs, an organization policy is likely blocking that configuration. The correct approach is to inspect the relevant organization policy constraint (such as constraints/compute.vmExternalIpAccess) and review Policy Denied audit log entries. IAM denies at the project level would not specifically target external IPs, and firewall rules or Monitoring alerts do not prevent instance creation.
Quiz: IAM Conditions and Data Service Security
Quick check on IAM Conditions and securing data services.
A contractor needs read access to a Cloud Storage bucket for exactly one month. You want access to automatically expire without manual cleanup. What is the BEST approach?
- Grant the contractor roles/storage.objectViewer on the bucket and create a calendar reminder to remove it in one month.
- Grant the contractor roles/storage.admin at the project level and rely on audit logs to monitor usage.
- Grant the contractor roles/storage.objectViewer on the bucket with an IAM Condition that restricts access to requests made before a specific timestamp in one month.
- Use VPC Service Controls to isolate the bucket for one month, then remove the perimeter.
Show Answer
Answer: C) Grant the contractor roles/storage.objectViewer on the bucket with an IAM Condition that restricts access to requests made before a specific timestamp in one month.
The best solution is to use an IAM Condition on the bucket-level role binding that uses request.time to enforce automatic expiry. Calendar reminders are manual and error-prone, project-level admin is excessive, and VPC Service Controls focus on perimeter isolation, not time-limited identity-based access.
Key Terms Review
Flip through these cards to reinforce core concepts before moving on.
- Cloud Audit Logs: Admin Activity logs
- Admin Activity logs record administrative operations that modify configuration or metadata (for example, creating a VM or changing IAM). They are always on and free, and are the primary source to answer "who changed what" questions.
- Cloud Audit Logs: Data Access logs
- Data Access logs record operations that read or write user data (for example, reading a Cloud Storage object or running a BigQuery query). Many Data Access logs are not fully enabled by default due to volume and cost.
- Organization policy constraint
- A constraint is a predefined rule in the Organization Policy Service that controls a specific behavior, such as allowed regions (gcp.resourceLocations) or whether VMs can have external IPs (compute.vmExternalIpAccess).
- Organization policy inheritance
- Organization policies apply at the organization, folder, or project level and inherit down the resource hierarchy. A project’s effective policy is the combination of its own policy and inherited policies from its parent folder and organization.
- IAM Condition
- An IAM Condition is a context-aware expression attached to an IAM binding. It uses Common Expression Language (CEL) and can reference attributes like request.time to create time-bound or attribute-based access control.
- Policy Denied logs
- Policy Denied logs are audit log entries generated when an operation is blocked by an organization policy constraint. They help explain why an action was denied and which constraint was triggered.
- Public Access Prevention (Cloud Storage)
- Public Access Prevention is a control that blocks public access to Cloud Storage buckets and objects, even if IAM or ACLs try to make them public. It can be set at the bucket level or enforced org-wide via organization policies.
- Uniform bucket-level access (Cloud Storage)
- Uniform bucket-level access disables object-level ACLs and enforces access control using only IAM at the bucket level, simplifying and strengthening Cloud Storage security management.
- Dataset-level IAM (BigQuery)
- Dataset-level IAM in BigQuery lets you assign roles like bigquery.dataViewer or bigquery.dataEditor to identities for a specific dataset, controlling who can read or modify tables and views in that dataset.
- Associate Cloud Engineer role (exam context)
- An Associate Cloud Engineer deploys and secures applications, services, and infrastructure, monitors operations of multiple projects, and maintains enterprise solutions to ensure that they meet target performance metrics.
Mini Incident Investigation Walkthrough
Imagine you are the Associate Cloud Engineer on call. A BigQuery dataset `customer_pii` was unexpectedly shared with a broad group, and someone ran a large export query.
Your task: reconstruct what happened using IAM and logs, and propose a control to prevent it next time.
Mentally walk through these steps:
- Identify the time window
- When was the export noticed? Assume between 10:00 and 11:00 UTC today.
- Check Admin Activity logs for IAM changes
- In Cloud Logging → Logs Explorer, filter:
```text
logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"
protoPayload.serviceName="bigquery.googleapis.com"
protoPayload.methodName="SetIamPolicy"
resource.labels.datasetid="customerpii"
```
- Question: Who changed the IAM policy? What role did they grant, and to which member (for example, `group:all-analysts@example.com`)?
- Check Data Access logs for export queries
- Still in Logs Explorer, switch to Data Access logs for BigQuery and filter for job creation methods (like `jobservice.InsertJob`) with `jobConfiguration.extract`.
- Question: Which principal ran the export job? Does it match the IAM change actor or a different user?
- Correlate IAM and query activity
- Note the timestamps: Did the IAM change happen shortly before the export query?
- This sequence is strong evidence of cause and effect.
- Design a preventive control
- Could you:
- Restrict who can change IAM on sensitive datasets (use narrower IAM roles)?
- Use IAM Conditions to limit access to specific principals or times?
- Use organization policies to limit Data Access logs retention or require logging for BigQuery?
Write down (mentally or on paper) a one-sentence answer:
- "I would detect this by and prevent it next time by _."
This is the type of reasoning Skarp’s mock exams will push you to practice: combine IAM understanding, log analysis, and policy design into a clear, exam-ready answer.
Key Terms
- Constraint
- A predefined rule in the Organization Policy Service that controls a specific behavior, such as allowed regions or whether VMs can have external IPs.
- IAM Condition
- A context-aware expression attached to an IAM binding that must evaluate to true for access to be granted, often used for time-bound or attribute-based access control.
- service account
- A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.
- Cloud Audit Logs
- A Google Cloud feature that records administrative and data access operations as structured log entries, including Admin Activity, Data Access, System Event, and Policy Denied logs.
- Data Access logs
- Audit logs that record operations that read or write user data in Google Cloud services. They can be selectively enabled due to their volume and cost.
- Policy Denied logs
- Audit log entries generated when an operation is blocked by an organization policy constraint, indicating which policy caused the denial.
- Admin Activity logs
- Audit logs that record administrative operations that modify configuration or metadata of Google Cloud resources. They are always enabled and free.
- Organization policy
- A configuration of one or more constraints applied at the organization, folder, or project level to enforce rules about how resources can be configured or used.
- Public Access Prevention
- A Cloud Storage feature that blocks public access to buckets and objects, overriding IAM or ACL settings that would otherwise allow public access.
- Identity and Access Management (IAM)
- Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.