SkarpSkarp

Chapter 26 of 27

Audit Logs, Cloud Logging, and Compliance-Oriented Monitoring

Every action leaves a trail; harness audit logs and observability tools to meet compliance requirements and investigate security events.

27 min readen

Big Picture: Why Audit Logs Matter for Security and Compliance

Why Logs Matter

In Google Cloud, almost every meaningful action is recorded. For security and compliance, you must know what is logged, where to find it, and how to use it during operations and incidents.

Three Pillars

We focus on three pillars: audit logs (who did what), Cloud Logging (view and route logs), and Cloud Monitoring (metrics and alerts from logs and resources).

Compliance Angle

Regulations like GDPR, ISO 27001, SOC 2, HIPAA, and PCI DSS require evidence of access, configuration changes, and timely detection of suspicious activity.

Tools in Google Cloud

Cloud Audit Logs capture admin and data access events, Cloud Logging stores and queries them with IAM-based access, and Cloud Monitoring turns them into alerts and dashboards.

Exam Relevance

Expect questions on audit log types, filtering IAM and security events, exporting logs to Cloud Storage or BigQuery, and designing investigation workflows using these tools.

Cloud Audit Logs: Types, Scope, and Where to Find Them

What Are Cloud Audit Logs?

Cloud Audit Logs record activity in your projects, folders, and organizations. You must know the main categories and where they live for both the exam and real operations.

Admin Activity Logs

Admin Activity logs record configuration changes, such as creating VMs, editing firewall rules, or modifying IAM policies. They are always enabled and free within quotas.

Data Access Logs

Data Access logs record API calls that read or write user data, like reading Cloud Storage objects or BigQuery queries. They may be disabled by default and can be enabled per service.

System Event & Policy Denied

System Event logs capture Google-managed operations (like autoscaling). Policy Denied logs capture requests blocked by org policies or VPC Service Controls before reaching services.

Log Names and Scope

Find them in Logs Explorer by filtering `cloudaudit.googleapis.com`. Example: `...%2Factivity`, `...%2Fdataaccess`, `...%2Fsystemevent`, `...%2Fpolicy`, all scoped to a project, folder, or org.

Hands-On: Finding Admin Activity and Data Access Logs in Logs Explorer

Scenario A: Firewall Change

You want to know who changed a firewall rule. In Logs Explorer, select the project, filter for `cloudaudit.googleapis.com/activity`, and target firewall-related method names like `compute.firewalls.patch`.

Firewall Change Query

Example query:

```

logName = "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"

protoPayload.methodName = "v1.compute.firewalls.patch"

```

Inspecting Firewall Logs

Open a log entry and look at `protoPayload.authenticationInfo.principalEmail` (who), plus `request` and `response` fields (what changed in the firewall rule).

Scenario B: Storage Object Access

To see who read an object in a sensitive bucket, filter Data Access logs for `gcs_bucket` and method `storage.objects.get` targeting your bucket name.

Storage Access Query

Example query:

```

logName = "projects/PROJECTID/logs/cloudaudit.googleapis.com%2Fdataaccess"

protoPayload.serviceName = "storage.googleapis.com"

protoPayload.methodName = "storage.objects.get"

resource.labels.bucketname = "SENSITIVEBUCKET_NAME"

```

IAM + Cloud Logging: Who Can See and Manage Logs?

IAM Controls Log Access

Logs can be sensitive, so access is controlled by IAM at the project, folder, or org level. IAM defines who has what role for which resource.

Key Logging Roles

Logs Viewer can read logs. Logs Writer lets services or service accounts write logs. Logs Admin manages all logging configs and data.

Private Logs Viewer

Private Logs Viewer can view all logs, including sensitive Data Access logs. Many orgs restrict this to security or compliance teams.

Log Sinks and Service Accounts

When you create a log sink, Cloud Logging creates a sink-specific service account. You must grant it access (for example, to write to a Cloud Storage bucket).

Service Accounts in Logs

When workloads run under a service account, that identity appears as `principalEmail` in audit logs, linking back to your service account and Workload Identity design.

Exporting Audit Logs: Cloud Storage, BigQuery, and Beyond

Why Export Logs?

Default Cloud Logging retention is limited. Compliance often needs years of history and deeper analytics, so you export logs for long-term storage and reporting.

Export to Cloud Storage

Use Cloud Storage for low-cost archival of audit logs. Combine with Object Lifecycle Management and storage classes like Standard, Nearline, Coldline, and Archive.

Export to BigQuery

Use BigQuery for interactive analysis and reporting. Run SQL to list IAM changes, data access events, or other compliance-focused queries over long periods.

Export via Pub/Sub

Export to Pub/Sub for real-time streaming into SIEM tools or custom processors. This is useful for centralized security monitoring across platforms.

Creating a Log Sink

In Logs Router, create a sink, choose a destination, define a filter (for example, audit logs), and then grant the sink service account permission on the destination.

CLI Practice: Creating an Audit Log Sink for Long-Term Storage

Here is an example of using the `gcloud` CLI to create a log sink that exports Admin Activity and Data Access logs to a Cloud Storage bucket for long-term retention.

```bash

Variables

PROJECT_ID="my-project"

SINK_NAME="audit-log-archive-sink"

BUCKET_NAME="my-audit-log-bucket" # Bucket must already exist

1. Create a sink that exports Admin Activity and Data Access logs

The filter selects both activity and data_access audit logs

FILTER='logName:("cloudaudit.googleapis.com%2Factivity" OR "cloudaudit.googleapis.com%2Fdata_access")'

gcloud logging sinks create "$SINK_NAME" \

"storage.googleapis.com/$BUCKET_NAME" \

--log-filter="$FILTER" \

--project="$PROJECT_ID"

2. Get the sink's service account to grant it permissions on the bucket

SINKSA=$(gcloud logging sinks describe "$SINKNAME" \

--project="$PROJECT_ID" \

--format='value(writerIdentity)')

echo "Sink service account: $SINK_SA"

3. Grant the sink service account permission to write objects to the bucket

Typically you grant storage.objectCreator

gcloud storage buckets add-iam-policy-binding "gs://$BUCKET_NAME" \

--member="$SINK_SA" \

--role="roles/storage.objectCreator"

```

Try to read this script line by line and answer:

  • What logs are being exported?
  • Where are they going?
  • Which IAM role is required on the bucket for the sink service account?

Cloud Monitoring: Turning Logs and Metrics into Security Signals

Why Cloud Monitoring?

Cloud Logging stores events, but Cloud Monitoring turns them into actionable alerts and dashboards using metrics, uptime checks, and alerting policies.

Log-Based Metrics

You can define log-based metrics that count or measure events matching a log filter, such as IAM policy changes or repeated permission denied errors.

Unusual API Activity

Example: create a log-based metric for audit logs where `methodName` contains `setIamPolicy`, then alert if the count exceeds a threshold in a short time window.

Resource Change Monitoring

Monitor creation or deletion of VMs, firewall rules, or buckets. Alerts on spikes can reveal compromised accounts or misbehaving automation.

From Logs to Alerts

Typical pipeline: Logs → Log-based metric → Alerting policy → Notification channels (email, SMS, PagerDuty, etc.). This is a frequent exam pattern.

Thought Exercise: Designing a Simple Security Alert

Imagine you are responsible for a production project. Your security team is worried about unauthorized changes to IAM policies.

Design a simple alert using Cloud Logging and Cloud Monitoring that:

  • Detects when IAM policies are changed more than 5 times in 10 minutes.
  • Notifies the on-call engineer by email.

Think through these questions step by step:

  1. Which log type contains IAM policy changes?
  • Hint: these are configuration changes, not data reads.
  1. What log fields would you filter on to detect IAM policy changes?
  • Consider fields like `protoPayload.methodName` and `serviceName`.
  1. How would you turn that log pattern into something Cloud Monitoring can alert on?
  • Do you go directly from logs to alerts, or is there an intermediate object?
  1. What threshold and window will you configure?
  • For example, count of events > 5 within 10 minutes.
  1. Where do you configure the email notification?
  • Think about notification channels in Cloud Monitoring.

Write your answers in your own words (mentally or on paper). Then compare them to the recommended solution in the next explanation step.

Investigation Workflow: Responding to a Suspected Security Incident

Start from the Alert

Cloud Monitoring fires an alert about high IAM policy change activity. First, confirm details: metric, threshold, and time window, and review related dashboards.

Investigate in Logs Explorer

Filter Admin Activity logs for `setIamPolicy` in the project and time window. Sort by time and look for unusual patterns like bursts of changes or odd hours.

Identify the Actor

Inspect `protoPayload.authenticationInfo.principalEmail` to see which user or service account made the changes, and whether that identity is expected.

Understand the Change

Review `protoPayload.request` to see which roles and members were added or removed. Watch for risky grants like `roles/owner` or large groups.

Check Data Access & Remediate

Search Data Access logs for that identity to see if sensitive data was accessed. Then roll back bad changes, rotate credentials, and document the incident.

Quiz 1: Audit Log Types and Locations

Test your understanding of Cloud Audit Logs and where to find them.

You need to investigate who deleted a Compute Engine VM yesterday. Which log type and log name should you focus on in Logs Explorer?

  1. Data Access logs with logName ending in `cloudaudit.googleapis.com%2Fdata_access`
  2. Admin Activity logs with logName ending in `cloudaudit.googleapis.com%2Factivity`
  3. System Event logs with logName ending in `cloudaudit.googleapis.com%2Fsystem_event`
  4. VPC Flow Logs with logName ending in `compute.googleapis.com%2Fvpc_flows`
Show Answer

Answer: B) Admin Activity logs with logName ending in `cloudaudit.googleapis.com%2Factivity`

Deleting a VM is a configuration change, not a data read/write, so it is recorded in **Admin Activity logs**. In Logs Explorer, you should filter on `cloudaudit.googleapis.com%2Factivity`. Data Access logs focus on data operations, System Event logs cover Google-managed background events, and VPC Flow Logs record network traffic, not resource deletions.

Quiz 2: Export and Alerting Scenarios

Check how well you can map scenarios to the right logging and monitoring features.

Your compliance team requires 7 years of searchable history for IAM policy changes, and your security team wants alerts when IAM policies change more than 10 times in 5 minutes. Which combination best meets both needs?

  1. Keep default Cloud Logging retention and create an alerting policy directly on audit logs without metrics.
  2. Create a log sink exporting Admin Activity logs to Cloud Storage, and a log-based metric plus Cloud Monitoring alert for IAM policy changes.
  3. Export all logs to BigQuery only and run a daily script to send emails if thresholds are exceeded.
  4. Enable Data Access logs only and configure VPC Service Controls for the project.
Show Answer

Answer: B) Create a log sink exporting Admin Activity logs to Cloud Storage, and a log-based metric plus Cloud Monitoring alert for IAM policy changes.

For long-term retention, export **Admin Activity logs** to **Cloud Storage** via a log sink. For real-time alerts, create a **log-based metric** on IAM policy change events and then a **Cloud Monitoring alerting policy** on that metric. Default retention alone is not enough for 7 years, and Data Access logs or VPC Service Controls do not address the stated requirements.

Key Term Review: Audit Logs and Monitoring

Flip through these cards to reinforce the most important concepts from this module.

Cloud Audit Logs: Admin Activity
Audit logs that record administrative operations that modify configuration or metadata (for example, creating VMs, changing firewall rules, modifying IAM policies). Always enabled and stored at no additional cost within quotas.
Cloud Audit Logs: Data Access
Audit logs that record API calls which read or write user data (for example, reading Cloud Storage objects, querying BigQuery tables). Often disabled or partially disabled by default due to volume; enable them per project/service as needed.
Cloud Audit Logs: System Event
Audit logs that record Google-managed operations affecting your resources, such as infrastructure maintenance or autoscaling-related actions.
Cloud Audit Logs: Policy Denied
Audit logs that record requests blocked by organization policies or perimeter controls (such as Org Policy constraints or VPC Service Controls) before they reach the target service.
Logs Explorer
The Cloud Logging interface where you can search, filter, and view logs (including Cloud Audit Logs) across your projects, folders, and organizations.
Log Sink
A Cloud Logging configuration that routes selected logs (based on a filter) to a destination such as Cloud Storage, BigQuery, or Pub/Sub, often used for long-term retention or external analysis.
Log-Based Metric
A Cloud Monitoring metric derived from log entries matching a filter. Used to count or measure specific log patterns and to drive alerting policies.
Logs Viewer vs Private Logs Viewer
Logs Viewer can read most logs in a project. Private Logs Viewer can also see sensitive logs such as Data Access logs, typically restricted to security or compliance teams.
Principal Email in Audit Logs
The field (for example, `protoPayload.authenticationInfo.principalEmail`) that shows which identity (user, service account, or external identity) performed the logged action.
Investigation Workflow (High Level)
Alert (Cloud Monitoring) → Filter relevant audit logs (Cloud Logging) → Identify actor and actions → Check related data access → Contain and remediate → Document for compliance.

Key Terms

Log sink
A Cloud Logging configuration that exports selected logs to destinations such as Cloud Storage, BigQuery, or Pub/Sub.
Cloud Logging
The centralized logging service in Google Cloud that stores, views, filters, and routes logs from Google Cloud services and your applications.
Logs Explorer
The Cloud Logging interface used to search, filter, and inspect log entries, including Cloud Audit Logs.
service account
A service account is a special kind of account used by an application or compute workload, not a person, to make authorized API calls and access Google Cloud resources.
Cloud Audit Logs
A Google Cloud feature that records administrative activity, data access, system events, and policy-denied events for resources in your projects, folders, and organizations.
Cloud Monitoring
The Google Cloud service that provides metrics, dashboards, uptime checks, log-based metrics, and alerting policies for monitoring resources and applications.
Data Access logs
Cloud Audit Logs that capture read and write operations on user data for many Google Cloud services.
Log-based metric
A metric in Cloud Monitoring that is generated from log entries matching a specified filter, often used to drive alerts based on log patterns.
System Event logs
Cloud Audit Logs that record Google-managed operations affecting your resources, such as infrastructure maintenance and autoscaling actions.
Policy Denied logs
Cloud Audit Logs that record requests blocked by organization policies or perimeter controls before they reach the target service.
Admin Activity logs
Cloud Audit Logs that capture configuration and metadata changes, such as creating or deleting resources and modifying IAM policies.
Identity and Access Management (IAM)
Identity and Access Management (IAM) lets you manage access control by defining who (identity) has what access (role) for which resource.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself