Access Transparency exclusions

Access Transparency logs are generated when Google personnel access content that you've uploaded into an Access Transparency supported service, except in the following scenarios:

  1. Google is legally prohibited from notifying you of the access.

  2. You've granted the Google personnel access to your content by using your Identity and Access Management policy; their activities are recorded in Cloud Audit Logs (when enabled), not Access Transparency logs.

  3. The access doesn't target a particular user's content; for example, a Google personnel querying for the average size of records in a database that contains content from multiple Google Cloud customers.

  4. The content in question is a public resource identifier. For example:

    • Google Cloud project IDs
    • Cloud Storage bucket names
    • Compute Engine VM names
    • Google Kubernetes Engine cluster names
    • BigQuery resource names (including datasets, tables, and reservations)
  5. The access originates from a standard workflow; for example, a compression job that runs on the content or disk destruction during the content deletion process. Details are as follows:

    • Google uses an internal version of Binary Authorization to ensure that system code running on Access Transparency services has been reviewed by multiple Google personnel before it accesses customer content. The reviewer must be designated as an owner of the source code, preventing modification by unauthorized Google personnel.

    • Google validates that the system job accessing customer content is authorized to do so. For example:

      • To grant you access to your own content
      • To index, compress, or perform other optimization operations
      • To run scheduled jobs or workloads

Google detects whether access to customer content is targeted or untargeted before generating Access Transparency logs. If there is no way to identify a customer from the content that was accessed, an Access Transparency log isn't generated.

Google strictly limits the number and permissions of personnel who could access customer content while performing tasks on low-level infrastructure. Google uses encryption to limit the ability of its personnel in these situations to read customer content, and closely monitors their behavior with internal logging and auditing. These low-level accesses don't generate Access Transparency logs.

What's next