Enroll a resource for auditing

This page describes how to enroll a project resource or a folder resource for auditing in Audit Manager.

Enrollment accomplishes the following tasks:

A Google-managed service agent associated with Audit Manager is created, which monitors the specified resource on your behalf. The service agent's email address uses the following format, where RESOURCE_ID is the project ID or folder ID:
```
RESOURCE_ID@gcp-sa-audit-manager.iam.gserviceaccount.com
```
Revoking this service agent's roles can cause Audit Manager to stop auditing the resource.
The specified Cloud Storage buckets are configured as the destination to store the audit data.

When you enroll a resource, its child resources are also enrolled. For example, if you enroll a folder, any projects within that folder are also enrolled. If a parent resource is already enrolled and you attempt to enroll one of its child resources, then the child resource is enrolled independently.

Before you begin

Ensure that you have the following IAM roles:
- Audit Manager Admin (roles/auditmanager.admin)
- Storage Admin(roles/storage.admin) or Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner)
Identify or create Cloud Storage buckets where the audit data needs to be exported.

To learn about how to create Cloud Storage buckets, see Create a bucket.

Enroll a resource for auditing

You can enroll a project resource or a folder resource for auditing in Audit Manager.

The simplest way to enroll a resource is through the Google Cloud console. Alternatively, you can use the Audit Manager API or the Google Cloud CLI.

Console

In the Google Cloud console, go to the Audit Manager page.

Go to Audit Manager
Click Settings.

Depending on the resource you have selected in the project selector, a list of folders or projects are displayed on the Settings page.
On the Settings page, select a project or a folder that you want to enroll for Audit Manager, click Enroll in the Status column.
In the Select storage bucket details dialog, select one or more Cloud Storage buckets where you want to save your reports and evidence, and click Enroll.

Your resource is now enrolled for auditing.

gcloud

Before using any of the command data below, make the following replacements:

RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder.
RESOURCE_ID: The resource ID of the project or folder. For example: 8767234.
BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud audit-manager enrollments add \
--RESOURCE_TYPE=RESOURCE_ID \
--eligible-gcs-buckets=BUCKET_URI

Windows (PowerShell)

gcloud audit-manager enrollments add `
--RESOURCE_TYPE=RESOURCE_ID `
--eligible-gcs-buckets=BUCKET_URI

Windows (cmd.exe)

gcloud audit-manager enrollments add ^
--RESOURCE_TYPE=RESOURCE_ID ^
--eligible-gcs-buckets=BUCKET_URI

REST

Before using any of the request data, make the following replacements:

RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder.
RESOURCE_ID: The resource ID of the project or folder. For example: 8767234.
BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager.

HTTP method and URL:

POST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource

Request JSON body:


{
  "destinations" : [
    {
      "eligible_gcs_buckets" : "BUCKET_URI"
    }
  ]
}

To send your request, choose one of these options:

curl

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login , or by using Cloud Shell, which automatically logs you into the gcloud CLI . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource"

PowerShell

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login . You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource" | Select-Object -Expand Content

You should receive a successful status code (2xx) and an empty response.

If you want to change the storage location for audit data after enrollment, you need to update enrollment of your resource and specify the new storage locations. The previous enrollment and storage locations are overwritten by the new request.

What's next

Run an audit.