Improve instance security by enabling database auditing

This page describes how to enable database auditing in AlloyDB, how the database auditing recommender works, and how you can use it.

The AlloyDB database auditing recommender helps you detect production instances whose auditing is not enabled. It then provides recommendations to enable database auditing.

Recommendations are generated daily.

Before you begin

Before you can view recommendations and insights, do the following:

List the recommendations

You can list the enable database auditing recommendations using the Google Cloud console, gcloud CLI, or the Recommender API.

Console

  1. In the Google Cloud console, go to the Clusters page.

    Go to Clusters

    For more information, see Exploring recommendations.

  2. In the Security card, click Auditing not enabled.

    A list of clusters with instances to which the Auditing not enabled recommendation applies is displayed.

gcloud CLI

To list the enable database auditing recommendations using gcloud CLI, run the gcloud recommender recommendations list command as follows:

gcloud recommender recommendations list \
--project=PROJECT_ID \
--location=LOCATION \
--recommender=google.alloydb.instance.SecurityRecommender \
--filter=recommenderSubtype=ENABLE_DATABASE_AUDITING

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such as us-central1.

API

To list enable database auditing recommendations using the Recommendations API, call the recommendations.list method as follows:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such as us-central1.

View insights and detailed recommendations

You can view insights and detailed recommendations about instances that require enabling database auditing using the Google Cloud console, gcloud CLI, or the Recommender API.

Console

On the Clusters page, click the recommendation for an instance in the Issues column. The recommendation panel appears, which contains insights and detailed recommendations.

gcloud CLI

Run the gcloud recommender insights list command as follows:


gcloud recommender insights list \
--project=PROJECT_ID \
--location=LOCATION \
--insight-type=google.alloydb.instance.SecurityInsight \
--filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION : A region where your instances are located, such as us-central1.

API

Call the insights.list method as follows:

GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED

Replace the following:

  • PROJECT_ID: Your project ID.
  • LOCATION: A region where your instances are located, such as us-central1.

Apply the recommendation

Evaluate the recommendation carefully and do any of the following:

Console

To implement the recommendation, follow instructions in Enable pgAudit.

gcloud CLI

To implement the recommendation, follow instructions in Enable pgAudit.

What's next