This page describes how to enroll an organization, a folder, or a project as a resource for auditing in Audit Manager.
Enrollment accomplishes the following tasks:
A Google-managed service agent associated with Audit Manager is created, which monitors the specified resource on your behalf. The service agent's email address uses the following format, where RESOURCE_ID is the organization ID, folder ID, or project ID.
RESOURCE_ID@gcp-sa-audit-manager.iam.gserviceaccount.com
Revoking this service agent's roles can cause Audit Manager to stop auditing the resource.
The specified Cloud Storage buckets are configured as the destination to store the audit data.
When you enroll a resource, its child resources are also enrolled. For example, if you enroll an organization, any projects within that organization are also enrolled. If a parent resource is already enrolled and you attempt to enroll one of its child resources, then the child resource is enrolled independently.
Before you begin
Ensure that you have the following IAM roles and permissions:
- Audit Manager Admin (
roles/auditmanager.admin
). - Storage Admin(
roles/storage.admin
) or Storage Legacy Bucket Owner (roles/storage.legacyBucketOwner
)
- Audit Manager Admin (
To enroll an organization or a folder, you must have the following additional permissions:
- Organization:
resourcemanager.organizations.setIamPolicy
- Folder:
resourcemanager.folders.setIamPolicy
- Organization:
Identify or create Cloud Storage buckets where the audit data needs to be exported.
To learn about how to create Cloud Storage buckets, see Create a bucket.
Enroll a resource for auditing
You can enroll an organization, a folder, or a project for auditing in Audit Manager.
The simplest way to enroll a resource is through the Google Cloud console. Alternatively, you can use the Audit Manager API or the Google Cloud CLI.
Console
In the Google Cloud console, go to the Audit Manager page.
Click
Settings.Depending on the resource you have selected in the project selector, a list of folders or projects are displayed on the Settings page.
On the Settings page, select the resource that you want to enroll for Audit Manager, click
Enroll in the Status column.In the Select storage bucket details dialog, select one or more Cloud Storage buckets where you want to save your reports and evidence, and click Enroll.
Your resource is now enrolled for auditing.
gcloud
Before using any of the command data below, make the following replacements:
- RESOURCE_TYPE: The type of resource. Possible values are
organization
,folder
, andproject
. - RESOURCE_ID: The resource ID of the organization, folder, or project. For example:
8767234
. - BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager
.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud audit-manager enrollments add \ --RESOURCE_TYPE=RESOURCE_ID \ --eligible-gcs-buckets=BUCKET_URI
Windows (PowerShell)
gcloud audit-manager enrollments add ` --RESOURCE_TYPE=RESOURCE_ID ` --eligible-gcs-buckets=BUCKET_URI
Windows (cmd.exe)
gcloud audit-manager enrollments add ^ --RESOURCE_TYPE=RESOURCE_ID ^ --eligible-gcs-buckets=BUCKET_URI
REST
Before using any of the request data, make the following replacements:
- RESOURCE_TYPE: The type of resource. Possible values are
organization
,folder
, andproject
. - RESOURCE_ID: The resource ID of the organization, folder, or project. For example:
8767234
. - BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager
.
HTTP method and URL:
POST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource
Request JSON body:
{ "destinations" : [ { "eligible_gcs_buckets" : "BUCKET_URI" } ] }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource" | Select-Object -Expand Content
You should receive a successful status code (2xx) and an empty response.
If you want to change the storage location for audit data after enrollment, you need to update enrollment of your resource and specify the new storage locations. The previous enrollment and storage locations are overwritten by the new request.