This page describes Access Approval. Access Approval enables you to require your explicit approval whenever Google support and engineering need to access your customer data.
Google Cloud offers industry-leading controls to prevent unauthorized access by our support and engineering teams to your customer data. For many customers, additional transparency can also be helpful, which is why we were the first cloud provider to offer Access Transparency Logs. For some customers, even greater control is required. In this case, it may make sense to manage access by Google personnel on your own, and require your explicit approval every time your customer data is accessed. For this reason, we developed Access Approval - a product that allows you to require your explicit approval whenever Google support and engineering need to access your customer data.
How Access Approval works
Access Approval works by sending you an email or Pub/Sub message with an access request that you are able to approve.
Using the information in the message, you can use the Google Cloud Console or the Access Approval API to approve the access.
Access Approval exclusions
The following actions by Google will not trigger an access approval request:
System access to user content. These accesses are checked by our binary authorization functionality, which verifies that the job originates from code that was checked into production and reviewed by a second party.
Accesses to lower-level storage systems. Access to underlying infrastructure that targets a particular user's data is designed to generate an Access Transparency log (except interactions with hardware). However, these accesses will not be in scope for Access Approval. For example, an engineer may be able to run a query in an underlying database without this query triggering an Access Approval request, however should our systems detect that this query targeted a specific user's information, our Access Transparency system is designed to detect this and egress a log to the affected customer.
Manual access for the following reasons.
- Legal access
- Where Google accesses customer data to comply with legal requirements, these accesses will bypass the access approval service.
- Outage access
- Where Google accesses customer data to resolve an outage, these accesses will bypass the access approval service.
- Legal access
Any other exception as documented in the Access Transparency documentation. Anything that fails to generate an Access Transparency log will also not generate an Access Approval request.