Mejora la seguridad de la instancia al habilitar la auditoría de la base de datos
Organiza tus páginas con colecciones
Guarda y categoriza el contenido según tus preferencias.
En esta página, se describe cómo habilitar la auditoría de la base de datos en AlloyDB, cómo funciona el recomendador de auditoría de la base de datos y cómo puedes usarlo.
El recomendador de auditoría de bases de datos de AlloyDB te ayuda a detectar instancias de producción cuya auditoría no está habilitada. Luego, proporciona recomendaciones para habilitar la auditoría de la base de datos.
Antes de comenzar
Antes de ver las recomendaciones y estadísticas, haz lo siguiente:
En la tarjeta Seguridad, haz clic en Auditoría no habilitada.
Se muestra una lista de clústeres con instancias a las que se aplica la recomendación Auditing not enabled.
gcloud CLI
Para enumerar las recomendaciones de habilitación de la auditoría de bases de datos con gcloud CLI, ejecuta el comando gcloud recommender recommendations list de la siguiente manera:
LOCATION: Es una región en la que se encuentran las instancias, como us-central1.
API
Para mostrar una lista de las recomendaciones de habilitación de la auditoría de bases de datos con la API de Recommendations, llama al método recommendations.list de la siguiente manera:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING
Reemplaza lo siguiente:
PROJECT_ID: ID del proyecto
LOCATION: Es una región en la que se encuentran las instancias, como us-central1.
Visualiza las estadísticas y las recomendaciones detalladas
Puedes ver estadísticas y recomendaciones detalladas sobre las instancias que requieren habilitar la auditoría de la base de datos con la Google Cloud consola,
gcloud CLI o la API de Recommender.
Console
En la página Clústeres, haz clic en la recomendación de una instancia en la columna Problemas.
Aparecerá el panel de recomendaciones, que contiene estadísticas y recomendaciones detalladas.
LOCATION: una región en la que se encuentran las instancias, como us-central1.
API
Llama al método insights.list de la siguiente manera:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED
Reemplaza lo siguiente:
PROJECT_ID: ID del proyecto
LOCATION: Es una región en la que se encuentran las instancias, como us-central1.
Aplica la recomendación
Evalúa las recomendaciones con cuidado y realiza una de las siguientes acciones:
Console
Para implementar la recomendación, sigue las instrucciones en Habilita pgAudit.
gcloud CLI
Para implementar la recomendación, sigue las instrucciones en Habilita pgAudit.
[[["Fácil de comprender","easyToUnderstand","thumb-up"],["Resolvió mi problema","solvedMyProblem","thumb-up"],["Otro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Información o código de muestra incorrectos","incorrectInformationOrSampleCode","thumb-down"],["Faltan la información o los ejemplos que necesito","missingTheInformationSamplesINeed","thumb-down"],["Problema de traducción","translationIssue","thumb-down"],["Otro","otherDown","thumb-down"]],["Última actualización: 2025-09-05 (UTC)"],[[["\u003cp\u003eThis page provides information on how to use the AlloyDB database auditing recommender to identify and address instances where auditing is not enabled, enhancing security.\u003c/p\u003e\n"],["\u003cp\u003eThe database auditing recommender analyzes production instances daily to detect if auditing is disabled and offers suggestions to enable it.\u003c/p\u003e\n"],["\u003cp\u003eRecommendations can be viewed and managed through the Google Cloud console, \u003ccode\u003egcloud CLI\u003c/code\u003e, or the Recommender API by ensuring the Recommender API is enabled and appropriate IAM roles are in place.\u003c/p\u003e\n"],["\u003cp\u003eTo apply the recommendations, users must follow the steps in the \u003ca href=\"/alloydb/docs/pgaudit/enable-audit\"\u003eEnable pgAudit\u003c/a\u003e guide, which might impact pricing due to increased logging and will restart the instance.\u003c/p\u003e\n"],["\u003cp\u003eThe service may contain "Pre-GA" features that are available "as is" and may have limited support, and that the service is also subject to personal data processing terms.\u003c/p\u003e\n"]]],[],null,["# Improve instance security by enabling database auditing\n\nThis page describes how to enable database auditing in AlloyDB, how the database auditing [recommender](/recommender/docs/overview) works, and how you can use it.\n\nThe AlloyDB database auditing recommender helps you detect production instances whose auditing is not enabled. It then provides recommendations to enable database auditing.\n| **Note:** Recommendations are generated daily.\n\nBefore you begin\n----------------\n\nBefore you can view recommendations and insights, do the following:\n\n- Ensure that you [enable the Recommender API](/recommender/docs/enabling).\n\n- To get the permissions to view and work with insights and recommendations,\n ensure that you have the required [Identity and Access Management (IAM) roles](/iam/docs/understanding-roles#cloud-alloydb-roles).\n\n \u003cbr /\u003e\n\n See [Grant access to other users](/alloydb/docs/user-grant-access) for more information.\n\nList the recommendations\n------------------------\n\nYou can list the enable database auditing recommendations\nusing the Google Cloud console, `gcloud CLI`, or the Recommender API. \n\n### Console\n\n1. In the Google Cloud console, go to the **Clusters** page.\n\n [Go to Clusters](https://console.cloud.google.com/alloydb/clusters)\n\n For more information, see\n [Find recommendations with Recommendation Hub](/recommender/docs/recommendation-hub/identify-configuration-problems).\n2. In the **Security** card, click **Auditing not enabled**.\n\n A list of clusters with instances to which the **Auditing not enabled** recommendation applies is displayed.\n\n### gcloud CLI\n\nTo list the enable database auditing recommendations using gcloud CLI, run the [`gcloud recommender recommendations list`](/sdk/gcloud/reference/recommender/recommendations/list) command as follows: \n\n```\ngcloud recommender recommendations list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--recommender=google.alloydb.instance.SecurityRecommender \\\n--filter=recommenderSubtype=ENABLE_DATABASE_AUDITING\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\n### API\n\nTo list enable database auditing recommendations using the [Recommendations API](/recommender/docs/using-api), call the\n[`recommendations.list`](/recommender/docs/reference/rest/v1/projects.locations.recommenders.recommendations/list)\nmethod as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nView insights and detailed recommendations\n------------------------------------------\n\nYou can view insights and detailed recommendations about instances\nthat require enabling database auditing using the Google Cloud console,\n`gcloud CLI`, or the Recommender API. \n\n### Console\n\nOn the **Clusters** page, click the recommendation for an instance in the **Issues** column.\nThe recommendation panel appears, which contains insights and detailed recommendations.\n\n### gcloud CLI\n\nRun the [`gcloud recommender insights list`](/sdk/gcloud/reference/recommender/insights/list) command as follows: \n\n```\n\ngcloud recommender insights list \\\n--project=PROJECT_ID \\\n--location=LOCATION \\\n--insight-type=google.alloydb.instance.SecurityInsight \\\n--filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED\n\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e : A region where your instances are located, such as `us-central1`.\n\n### API\n\nCall the [`insights.list`](/recommender/docs/reference/rest/v1/projects.locations.insightTypes.insights/list) method as follows: \n\n```\nGET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED\n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: Your project ID.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: A region where your instances are located, such as `us-central1`.\n\nApply the recommendation\n------------------------\n\nEvaluate the recommendation carefully and do any of the following: \n\n### Console\n\nTo implement the recommendation, follow instructions in [Enable pgAudit](/alloydb/docs/pgaudit/enable-audit).\n\n### gcloud CLI\n\nTo implement the recommendation, follow instructions in [Enable pgAudit](/alloydb/docs/pgaudit/enable-audit).\n| **Note:** AlloyDB automatically restarts the instance after you update this flag.\n| **Note:** You must carefully evaluate before you update the instance. Applying recommendations might impact your pricing due to more logging.\n\nWhat's next\n-----------\n\n- [Google Cloud recommenders](/recommender/docs/recommenders)"]]