Enroll a resource for auditing

This page describes how to enroll a project or folder resource for auditing in Audit Manager, which is the first step in running an audit. When you enroll a resource, any child resources will also be enrolled. For example, if you enroll a folder, any projects beneath that folder will also be enrolled.

Enrollment accomplishes the following tasks:

  • A service agent associated with Audit Manager is created, which monitors the specified resource on your behalf. The service agent's email address uses the following format, where RESOURCE_ID is the project ID or folder ID:

    RESOURCE_ID@gcp-sa-audit-manager.iam.gserviceaccount.com

    Revoking this service agent's roles will cause Audit Manager to stop auditing the resource.

  • The specified Cloud Storage buckets are configured as the destination for audit data to be stored.

Before you begin

  • Ensure that your administrator has granted you one of the required Identity and Access Management (IAM) roles to enroll a resource for auditing.
  • Identify or create one or more Cloud Storage buckets where audit data will be exported, and ensure that the caller has been granted the proper permissions on the bucket.

Required IAM roles

Ensure that your administrator has granted you the Audit Manager Admin (roles/auditmanager.admin) role. This role grants you the ability to enable auditing on a project or folder, and to create or view audit reports.

When specifying one or more buckets to store audit data, you must be granted a role that contains the storage.buckets.setIamPolicy permission. Predefined roles that contain this permission include the Storage Admin (roles/storage.admin) role and the Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner) role.

See the IAM documentation for more information about granting roles.

Enroll a resource for auditing

To enroll a resource for auditing, complete the following steps.

Console

  1. In the Google Cloud console, go to the Audit Manager page.

    Go to Audit Manager

  2. Click Settings.

  3. On the Settings page, depending on what resource you have selected in the project picker at the top of the page, a list of folders or projects are shown. If a project or folder has not yet been enrolled for Audit Manager, click Enroll in the Status column.

  4. On the Select storage bucket prompt, select one or more Cloud Storage buckets where you want to save your audit reports and evidence, and click Select.

Audits are now enrolled and enabled for the resource.

gcloud

The gcloud alpha audit-manager enrollments add command enrolls a resource for monitoring.

Replace the following placeholder values with your own before you run the command:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234
  • LOCATION: The location of the Audit Manager API endpoint. See Locations for a list of available endpoints. For example: us-central1
  • BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager
gcloud alpha audit-manager enrollments add \
  --RESOURCE_TYPE=RESOURCE_ID \
  --location=LOCATION \
  --eligible-gcs-buckets="BUCKET_URI"

REST

Replace the following placeholder values with your own before you make the request:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folders
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234
  • LOCATION: The location of the Audit Manager API endpoint. See Locations for a list of available endpoints. For example: us-central1
  • BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager

HTTP method and URL:

POST: https://auditmanager.googleapis.com/v1alpha/RESOURCE_TYPE/RESOURCE_ID/locations/us-central1:enrollResource

Request JSON body:

{
  "destinations" : [
    {
      "eligible_gcs_buckets" : "BUCKET_URI"
    }
  ]
}

If successful, the response is an HTTP 200 status code. Refer to the following table if you received an error:

Error code Error message Description
401 You don't have the necessary permissions to enroll this resource for audits. Ensure that you have been granted an owner role for the project or folder, or ask the owner to run this operation on your behalf.
401 You don't have write permission to Cloud Storage bucket(s). For all specified buckets, ensure that the caller has write permissions.
400 No storage bucket provided to store audit evidence. Provide at least one storage bucket to store audit data where the caller has write permissions.
400 Scope provided is invalid. Unable to locate the folder or the project to be audited. Provide scope for resource in the appropriate format.
403 Audit Manager API is not being used in project PROJECT_ID or is disabled. Enable the Audit Manager API by clicking the link provided in the message.

What's next