Run an audit

This page describes how to run an audit in Audit Manager. An audit is a long-running operation that may take a few hours. The duration depends on the number of resources within the audit scope, which is the project or folder you have previously enrolled.

Before you begin

Required IAM roles

To run an audit or to generate an audit scope, you must be granted the Audit Manager Admin (roles/auditmanager.admin) or Audit Manager Auditor (roles/auditmanager.auditor) role. These roles grant you the ability to generate an audit scope, and to create or view audit reports.

See the IAM documentation for more information about granting roles.

Run an audit

To run an audit, complete the following steps.

Console

  1. In the Google Cloud console, go to the Run assessment page in Audit Manager.

    Go to Audit Manager

  2. Enter the ID of the project or folder you want to enroll. The expected format is projects/PROJECT-ID or folders/FOLDER-ID.

  3. If the project or folder has not been previously enrolled, you will be prompted to enroll it. Click Enroll Audits.

  4. Select the compliance standard you want to audit your resource against. See the Supported compliance standards page for more information.

  5. Select the location where audit should be processed. See the Locations page for a description each available location.

  6. Click Next.

  7. In the Get assessment plan step, you can optionally download a ODS file that contains information about each audit parameter included in the compliance standard that you selected earlier. Click the link to download, and click Next.

  8. In the Choose storage bucket step, select one of the previously-enrolled buckets where the audit report and evidence will be saved, and click Done. If your bucket is not listed, it must be re-enrolled.

  9. Click Run Audit to start the audit. The audit status is updated from the list of audits as described in View an audit.

gcloud

The gcloud alpha audit-manager audit-reports generate command runs an audit.

Replace the following placeholder values with your own before you run the command:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234
  • LOCATION: The location of the Audit Manager API endpoint. See Locations for a list of available endpoints. For example: us-central1
  • BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager
  • COMPLIANCE_TYPE: The compliance standard to audit against. For example: FEDRAMP_MODERATE
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: odf
gcloud alpha audit-manager audit-reports generate \
  --RESOURCE_TYPE=RESOURCE_ID \
  --location=LOCATION \
  --compliance-standard=COMPLIANCE_TYPE \
  --report-format=odf \
  --gcs-uri="BUCKET_URI"

If successful, the response includes the following information:

  • name: A unique string identifier of the audit assessment operation request. This identifier will be used to track the progress of the audit assessment process. For example: operation/098234
  • done: A boolean flag that will be set to false meaning that process has been triggered. This will be set to true once the audit assessment has been completed.

REST

Replace the following placeholder values with your own before you make the request:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folders
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234
  • LOCATION: The location of the Audit Manager API endpoint. See Locations for a list of available endpoints. For example: us-central1
  • BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager
  • COMPLIANCE_TYPE: The compliance standard to audit against. For example: FEDRAMP_MODERATE
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: AUDIT_REPORT_FORMAT_ODF

HTTP method and URL:

POST: https://auditmanager.googleapis.com/v1alpha/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditReport:generate

Request JSON body:

{
  "destination" : {
    "gcs_uri" : "BUCKET_URI"
  },
  "compliance_regime" : "COMPLIANCE_TYPE"
  "report_format" : "AUDIT_REPORT_FORMAT"
}

If successful, the response includes the following information:

  • name: A unique string identifier of the audit assessment operation request. This identifier will be used to track the progress of the audit assessment process. For example: operation/098234
  • done: A boolean flag that will be set to false meaning that process has been triggered. This will be set to true once the audit assessment has been completed.

If an error occurred, refer to the following table for troubleshooting guidance.

Error code Error message Description
401 User has insufficient permissions to run audit on the provided scope. Ensure that you have been granted the required permissions to run an audit, or ask an administrator to run this operation on your behalf.
401 Storage bucket provided is not enrolled for the provided audit resource. The specified bucket has not previously been enrolled for the audit operation. Ensure that the enrolled bucket is specified, or retry the enrollment operation for the appropriate bucket.
403 Resource is not enrolled to be audited. The specified resource has not previously been enrolled for the audit operation. Ensure that the enrolled resource is specified, or retry the enrollment operation for the appropriate resource.

Generate an assessment plan (optional)

Before running an actual audit, you can generate an audit assessment (or scope), which includes a detailed task breakdown for the audit based on the compliance standard you chose.

Console

The steps to generate an assessment plan in the Google Cloud console are included in the Run an audit section.

gcloud

The gcloud alpha audit-manager audit-scopes generate command generates an audit scope.

Replace the following placeholder values with your own before you run the command:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234
  • LOCATION: The location of the Audit Manager API endpoint. See Locations for a list of available endpoints. For example: us-central1
  • COMPLIANCE_TYPE: The compliance standard to audit against. For example: FEDRAMP_MODERATE
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: odf
  • OUTPUT_DIRECTORY: The directory where the output will be stored. For example: reports
  • OUTPUT_FILENAME: The name of the output file. Don't include the file extension in the filename. For example: scopeReport
gcloud alpha audit-manager audit-scopes generate \
  --RESOURCE_TYPE=RESOURCE_ID \
  --location=LOCATION \
  --compliance-standard=COMPLIANCE_TYPE \
  --report-format=odf \
  --output-directory=OUTPUT_DIRECTORY \
  --output-file-name=OUTPUT_FILENAME

REST

Replace the following placeholder values with your own before you make the request:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folders
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234
  • LOCATION: The location of the Audit Manager API endpoint. See Locations for a list of available endpoints. For example: us-central1
  • COMPLIANCE_TYPE: The compliance standard to audit against. For example: FEDRAMP_MODERATE
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: AUDIT_REPORT_FORMAT_ODF

HTTP method and URL:

POST: https://auditmanager.googleapis.com/v1alpha/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate

Request JSON body:

{
  "compliance_regime" : "COMPLIANCE_TYPE"
  "report_format" : "AUDIT_REPORT_FORMAT"
}

The response includes the audit_report_contents and name fields, such as the following:

"scope_report_contents" : "980u43nrf090834uhbkfehf......"
"name" : "folders/8767234/locations/us-west"

The scope_reports_contents field is the byte format of the contents, which must be converted to ODF format before review.

If an error occurred, refer to the following table for troubleshooting guidance.

Error code Error message Description
400 Invalid compliance standard. Please provide a standard from the following list : [] Ensure that you've specified a supported compliance standard and try again.
400 Invalid report format is passed. Ensure that you've specified the expected report format: AUDIT_SCOPE_REPORT_FORMAT_ODF.

What's next