This page describes how to enroll a project or folder resource for auditing in Audit Manager, which is the first step in running an audit. When you enroll a resource, any child resources will also be enrolled. For example, if you enroll a folder, any projects beneath that folder will also be enrolled.
Enrollment accomplishes the following tasks:
A service agent associated with Audit Manager is created, which monitors the specified resource on your behalf. The service agent's email address uses the following format, where RESOURCE_ID is the project ID or folder ID:
RESOURCE_ID@gcp-sa-audit-manager.iam.gserviceaccount.com
Revoking this service agent's roles will cause Audit Manager to stop auditing the resource.
The specified Cloud Storage buckets are configured as the destination for audit data to be stored.
Before you begin
- Ensure that your administrator has granted you one of the required Identity and Access Management (IAM) roles to enroll a resource for auditing.
- Identify or create one or more Cloud Storage buckets where audit data will be exported, and ensure that the caller has been granted the proper permissions on the bucket.
Required IAM roles
Ensure that your administrator has granted you the
Audit Manager Admin
(roles/auditmanager.admin
) role. This role grants you the ability to enable
auditing on a project or folder, and to create or view audit reports.
When specifying one or more buckets to store audit data, you must be granted
a role that contains the storage.buckets.setIamPolicy
permission. Predefined
roles that contain this permission include the
Storage Admin
(roles/storage.admin
) role and the
Storage Legacy Bucket Owner
(roles/storage.legacyBucketOwner
) role.
See the IAM documentation for more information about granting roles.
Enroll a resource for auditing
To enroll a resource for auditing, complete the following steps.
Console
In the Google Cloud console, go to the Audit Manager page.
Click
Settings.On the Settings page, depending on what resource you have selected in the project picker at the top of the page, a list of folders or projects are shown. If a project or folder has not yet been enrolled for Audit Manager, click
Enroll in the Status column.On the Select storage bucket prompt, select one or more Cloud Storage buckets where you want to save your audit reports and evidence, and click Select.
Audits are now enrolled and enabled for the resource.
gcloud
The
gcloud alpha audit-manager enrollments add
command enrolls a resource for monitoring.
Replace the following placeholder values with your own before you run the command:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example:
folder
- RESOURCE_ID: The resource ID of the project or folder. For
example:
8767234
- LOCATION: The location of the Audit Manager API
endpoint. See Locations for a list of
available endpoints. For example:
us-central1
- BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager
gcloud alpha audit-manager enrollments add \
--RESOURCE_TYPE=RESOURCE_ID \
--location=LOCATION \
--eligible-gcs-buckets="BUCKET_URI"
REST
Replace the following placeholder values with your own before you make the request:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example:
folders
- RESOURCE_ID: The resource ID of the project or folder. For
example:
8767234
- LOCATION: The location of the Audit Manager API
endpoint. See Locations for a list of
available endpoints. For example:
us-central1
- BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager
HTTP method and URL:
POST: https://auditmanager.googleapis.com/v1alpha/RESOURCE_TYPE/RESOURCE_ID/locations/us-central1:enrollResource
Request JSON body:
{
"destinations" : [
{
"eligible_gcs_buckets" : "BUCKET_URI"
}
]
}
If successful, the response is an HTTP 200 status code. Refer to the following table if you received an error:
Error code | Error message | Description |
---|---|---|
401 | You don't have the necessary permissions to enroll this resource for audits. | Ensure that you have been granted an owner role for the project or folder, or ask the owner to run this operation on your behalf. |
401 | You don't have write permission to Cloud Storage bucket(s). | For all specified buckets, ensure that the caller has write permissions. |
400 | No storage bucket provided to store audit evidence. | Provide at least one storage bucket to store audit data where the caller has write permissions. |
400 | Scope provided is invalid. Unable to locate the folder or the project to be audited. | Provide scope for resource in the appropriate format. |
403 | Audit Manager API is not being used in project
PROJECT_ID or is disabled. |
Enable the Audit Manager API by clicking the link provided in the message. |
What's next
- Learn how to run an audit.