Work with Sensitive Actions logs

Sensitive actions are always written to Sensitive Actions Service platform logs. Additionally, Google Cloud provides a summary of sensitive actions through Advisory Notifications.

Links to view the first three individual actions of each type in the platform logs are provided in the notification. You need an appropriate Identity and Access Management role, such as roles/logs.viewer, to be able to view Cloud Logging logs.

If there are more than three sensitive actions of a particular type, the notification might also provide a link to view all actions in Logging. However, this link is not provided in all cases. Some sensitive actions, such as adding a project-level SSH key, can occur in several different projects in your organization. In this case, Google can't provide you with a single Logging link to view all the sensitive actions, because Logging is always scoped to a particular resource (project, folder, or organization).

View all Sensitive Actions logs in the organization

If you want to see all Sensitive Actions logs in your organization, you can set up a Logging bucket to aggregate these logs.

Use the following query to include all Sensitive Actions logs in the bucket:

You can add additional terms if you only want certain types of Sensitive Actions logs, such as AND "add_ssh_key".

Set up alerts for Sensitive Actions logs

If you want to get more frequent alerts about sensitive actions, you can configure a log-based alert. For example, use the following query to match all Sensitive Actions logs:

What's next