Enable Cloud Audit Logging

Beginner

Enable Cloud Audit Logs on all GCP projects for admin activity, data access, and system events — required for security monitoring, incident response, and compliance.

File Patterns

**/*.tf**/*.yaml**/*.yml**/gcloud/****/logging/**

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Enable Cloud Audit Logging

## Rule
All GCP projects MUST have Admin Activity audit logs enabled (default). Data Access audit logs MUST be enabled for sensitive services (IAM, Cloud Storage, BigQuery, Cloud SQL).

## Audit Log Types
| Log Type | Default | Content |
|----------|---------|---------|
| Admin Activity | Always on | Resource creation, deletion, modification |
| Data Access | Off by default | Read/list operations on data |
| System Event | Always on | Google-triggered system actions |
| Policy Denied | Always on | Access denied by IAM or Org Policy |

## Enable Data Access Logs
```bash
# Get current audit config
gcloud projects get-iam-policy myproject --format=json > policy.json
```

```json
{
  "auditConfigs": [
    {
      "service": "allServices",
      "auditLogConfigs": [
        { "logType": "ADMIN_READ" },
        { "logType": "DATA_READ" },
        { "logType": "DATA_WRITE" }
      ]
    }
  ]
}
```

```bash
# Apply the policy
gcloud projects set-iam-policy myproject policy.json
```

## Terraform Configuration
```hcl
resource "google_project_iam_audit_config" "all_services" {
  project = var.project_id
  service = "allServices"

  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_READ"
  }
  audit_log_config {
    log_type = "DATA_WRITE"
  }
}
```

## Log Routing to BigQuery
```bash
# Create log sink for long-term analysis
gcloud logging sinks create audit-logs-bq \
  bigquery.googleapis.com/projects/myproject/datasets/audit_logs \
  --log-filter='logName:"cloudaudit.googleapis.com"'
```

## Key Queries
```bash
# View recent admin activity
gcloud logging read 'logName:"cloudaudit.googleapis.com/activity"' \
  --limit=50 --format=json

# Service account key creation events
gcloud logging read 'protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"' \
  --limit=10

# IAM policy changes
gcloud logging read 'protoPayload.methodName="SetIamPolicy"' \
  --limit=10
```

## Enforcement
- Verify audit config with: `gcloud projects get-iam-policy PROJECT`
- Organization Policy to require audit logging
- Route audit logs to a central project for security team access
- Retain audit logs for minimum 1 year (compliance requirement)

FAQ

Discussion

Loading comments...

# Enable Cloud Audit Logging ## Rule All GCP projects MUST have Admin Activity audit logs enabled (default). Data Access audit logs MUST be enabled for sensitive services (IAM, Cloud Storage, BigQuery, Cloud SQL). ## Audit Log Types | Log Type | Default | Content | |----------|---------|---------| | Admin Activity | Always on | Resource creation, deletion, modification | | Data Access | Off by default | Read/list operations on data | | System Event | Always on | Google-triggered system actions | | Policy Denied | Always on | Access denied by IAM or Org Policy | ## Enable Data Access Logs ```bash # Get current audit config gcloud projects get-iam-policy myproject --format=json > policy.json ``` ```json { "auditConfigs": [ { "service": "allServices", "auditLogConfigs": [ { "logType": "ADMIN_READ" }, { "logType": "DATA_READ" }, { "logType": "DATA_WRITE" } ] } ] } ``` ```bash # Apply the policy gcloud projects set-iam-policy myproject policy.json ``` ## Terraform Configuration ```hcl resource "google_project_iam_audit_config" "all_services" { project = var.project_id service = "allServices" audit_log_config { log_type = "ADMIN_READ" } audit_log_config { log_type = "DATA_READ" } audit_log_config { log_type = "DATA_WRITE" } } ``` ## Log Routing to BigQuery ```bash # Create log sink for long-term analysis gcloud logging sinks create audit-logs-bq \ bigquery.googleapis.com/projects/myproject/datasets/audit_logs \ --log-filter='logName:"cloudaudit.googleapis.com"' ``` ## Key Queries ```bash # View recent admin activity gcloud logging read 'logName:"cloudaudit.googleapis.com/activity"' \ --limit=50 --format=json # Service account key creation events gcloud logging read 'protoPayload.methodName="google.iam.admin.v1.CreateServiceAccountKey"' \ --limit=10 # IAM policy changes gcloud logging read 'protoPayload.methodName="SetIamPolicy"' \ --limit=10 ``` ## Enforcement - Verify audit config with: `gcloud projects get-iam-policy PROJECT` - Organization Policy to require audit logging - Route audit logs to a central project for security team access - Retain audit logs for minimum 1 year (compliance requirement)