Sensitive actions are always written to Sensitive Actions Service platform logs. Additionally, Google Cloud provides a summary of sensitive actions through Advisory Notifications.
Links to view the first three individual actions of each type in the platform
logs are provided in the notification. You need an appropriate
Identity and Access Management role, such as
roles/logs.viewer, to be able to view Cloud Logging logs.
If there are more than three sensitive actions of a particular type, the notification might also provide a link to view all actions in Logging. However, this link is not provided in all cases. Some sensitive actions, such as adding a project-level SSH key, can occur in several different projects in your organization. In this case, Google can't provide you with a single Logging link to view all the sensitive actions, because Logging is always scoped to a particular resource (project, folder, or organization).
View all Sensitive Actions logs in the organization
If you want to see all Sensitive Actions logs in your organization, you can set up a Logging bucket to aggregate these logs.
Use the following query to include all Sensitive Actions logs in the bucket:
logName:sensitiveaction.googleapis.com%2Faction
You can add additional terms if you only want certain types of Sensitive Actions
logs, such as AND "add_ssh_key".
Set up alerts for Sensitive Actions logs
If you want to get more frequent alerts about sensitive actions, you can configure a log-based alert. For example, use the following query to match all Sensitive Actions logs:
logName:sensitiveaction.googleapis.com%2Faction
What's next
- Learn about audit logging.