This page describes how to enable database auditing in AlloyDB, how the database auditing recommender works, and how you can use it.
The AlloyDB database auditing recommender helps you detect production instances whose auditing is not enabled. It then provides recommendations to enable database auditing.
Recommendations are generated daily.
Before you begin
Before you can view recommendations and insights, do the following:
Ensure that you enable the Recommender API.
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles.
Tasks Roles View recommendations recommender.alloydbViewerApply recommendations recommender.alloydbAdminoralloydb.adminSee Grant access to other users for more information.
List the recommendations
You can list the enable database auditing recommendations
using the Google Cloud console, gcloud CLI, or the Recommender API.
Console
In the Google Cloud console, go to the Clusters page.
For more information, see Exploring recommendations.
In the Security card, click Auditing not enabled.
A list of clusters with instances to which the Auditing not enabled recommendation applies is displayed.
gcloud CLI
To list the enable database auditing recommendations using gcloud CLI, run the gcloud recommender recommendations list command as follows:
gcloud recommender recommendations list \ --project=PROJECT_ID \ --location=LOCATION \ --recommender=google.alloydb.instance.SecurityRecommender \ --filter=recommenderSubtype=ENABLE_DATABASE_AUDITING
Replace the following:
PROJECT_ID: Your project ID.LOCATION: A region where your instances are located, such asus-central1.
API
To list enable database auditing recommendations using the Recommendations API, call the
recommendations.list
method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING
Replace the following:
PROJECT_ID: Your project ID.LOCATION: A region where your instances are located, such asus-central1.
View insights and detailed recommendations
You can view insights and detailed recommendations about instances
that require enabling database auditing using the Google Cloud console,
gcloud CLI, or the Recommender API.
Console
On the Clusters page, click the recommendation for an instance in the Issues column. The recommendation panel appears, which contains insights and detailed recommendations.
gcloud CLI
Run the gcloud recommender insights list command as follows:
gcloud recommender insights list \ --project=PROJECT_ID \ --location=LOCATION \ --insight-type=google.alloydb.instance.SecurityInsight \ --filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1.
API
Call the insights.list method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1.
Apply the recommendation
Evaluate the recommendation carefully and do any of the following:
Console
To implement the recommendation, follow instructions in Enable pgAudit.
gcloud CLI
To implement the recommendation, follow instructions in Enable pgAudit.