This documentation is for the current version of Anthos clusters on AWS, released in November 2021. See the Release notes for more information. For documentation on the previous generation of Anthos clusters on AWS, see Previous generation.

Cloud Audit Logs

Overview

Anthos clusters on AWS (GKE on AWS) supports audit logging at both the Cloud API and Kubernetes cluster level. This document provides information about Kubernetes cluster audit logging. For information about Cloud API audit logging, see Cloud API audit logging information.

Anthos clusters on AWS makes use of Kubernetes Audit Logging, which keeps a chronological record of calls made to a cluster's Kubernetes API server. Audit logs are useful for investigating suspicious API requests and for collecting statistics.

In cluster versions 1.23 and higher, Anthos clusters on AWS writes Cloud Audit Logs in a Google Cloud project by default. Writing to Cloud Audit Logs has the following benefits:

Audit logs for all Anthos clusters can be centralized.
Log entries written to Cloud Audit Logs are immutable.
Cloud Audit Logs entries are retained for 400 days.
Cloud Audit Logs is included in the price of Anthos.

Limitations

The current version of Cloud Audit Logs for Anthos clusters on AWS has several limitations:

Data access (get, list, watch requests) logging is not supported.
Modifying the Kubernetes audit policy is not supported.
Cloud Audit Logs is not resilient to extended network outages. If the log entries cannot be exported to Google Cloud, they are cached in a 10G disk buffer. If that buffer fills, then subsequent entries are dropped.

Before you begin

To enable Cloud Audit Logs, you must add outbound access to servicecontrol.googleapis.com from your control plane subnets.

Audit policy

Cloud Audit Logs behavior is determined by a statically-configured Kubernetes audit logging policy. Changing this policy is currently not supported, but will be available in a future release.

Access Cloud Audit Logs

You can access Cloud Audit Logs in the Google Cloud console or with the Google Cloud CLI.

Console

In the Google Cloud console, go to the Logs Explorer page in the Logging menu.

Go to the Logs page
Click the Show query toggle.

Fill the text box with the following filter:

resource.type="k8s_cluster"
logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity"

The screen looks like the following:

Logs Explorer with Show query toggled and populated query

Click Run query to display all audit logs from Anthos clusters on AWS clusters that were configured to log in to this project.

gcloud

List the first two log entries in your project's Admin Activity log that apply to the k8s_cluster resource type:

gcloud logging read \
    'logName="projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity"
    AND resource.type="k8s_cluster" ' \
    --limit 2 \
    --freshness 300d

where PROJECT_ID is your project ID.

The output shows two log entries. Notice that for each log entry, the logName field has the value projects/PROJECT_ID/logs/externalaudit.googleapis.com%2Factivity and protoPayload.serviceName is equal to gkemulticloud.googleapis.com.