View an audit

This page describes how to view a completed audit in Audit Manager. When an audit has been completed, Audit Manager will create and store the following types of artifacts in the destination storage buckets for you to view:

You can also view this information in the Google Cloud console by following the steps in the View completed audits section.

Before you begin

Required IAM roles

To view an audit, at minimum you must be granted the Audit Manager Auditor (roles/auditmanager.auditor) role. This role grants you the ability to create or view audit reports.

View completed audits

To view completed audits in the Google Cloud console, complete the following steps:

  1. In the Google Cloud console, go to the Audit Manager page.

    Go to Audit Manager

  2. In the Compliance Audits section, click View Audits.

  3. On the View assessments page, you can view the current status of an in-progress audit or get more information about a completed audit. Click the link the Status column to view more information about the audit.

Audit summary report

An audit summary report is a comprehensive report that provides a high-level overview of all compliance controls and a responsibilities matrix to help you understand the system.

In the destination bucket(s), the audit summary report uses the following naming convention:

audit-reports/audit_CONTROL_PACKAGE_NAME_TIMESTAMP/UNIQUE_ID/overall_report.ods

The placeholder values are described as follows:

  • CONTROL_PACKAGE_NAME: The name of the control package, such as FEDRAMP_MODERATE.
  • TIMESTAMP: A timestamp when the report was generated.
  • UNIQUE_ID: A unique ID for the report.

For each applicable control type, the following fields are populated in the audit summary report:

Control type Description
Control Info A description and requirement for the control.
Google Responsibility Google Cloud responsibility and implementation details.
Customer Responsibility Customer responsibility and implementation details.
Assessment Status Status of compliance for the control. Status can be one of the following types:
  • Non-Compliant: Compliance drift detected
  • Compliant: System is compliant
  • Manual Review Needed: Artifacts are produced but user input is required to conclude on status of compliance
  • Skipped: Manual control, automation not present
Control Report Link A link to the control overview report.

Control overview report

A control overview report contains a detailed description of the compliance evaluation for a single control. It provides assessment details for each compliance check with observations and expected values.

In the destination bucket(s), the control overview report uses the following naming convention:

audit-reports/audit_CONTROL_PACKAGE_NAME_TIMESTAMP/UNIQUE_ID/CONTROL_ID.ods

The placeholder values are described as follows:

  • CONTROL_PACKAGE_NAME: The name of the control package, such as FEDRAMP_MODERATE.
  • TIMESTAMP: A timestamp when the report was generated.
  • UNIQUE_ID: A unique ID for the report.
  • CONTROL_ID: The ID for the control.

A control overview report looks similar to the following example:

Control ID: COMPLIANT
Service name # of resources Status Resource Evaluation Details
Resource ID Measured Field Current Value Expected Value Status Evidence Resource URI Evidence Timestamp Evidence for Project/Folder Evidence Link
Total services in scope for this control Total resources in audit scope Compliance status Resource identifier Configuration to be measured for audit Observed values Compliant values Individual compliance status Timestamp when evidence was collected
product1.googleapis.com 2 COMPLIANT Resource 1 abc 10 >=10 COMPLIANT Resource 1 12/05/2023 12:55:16 Project 1 Link 1
def 15 =15 COMPLIANT Resource 4 12/05/2023 13:55:16 Project 1 Link 4
Resource 2 xyz 20 =20 COMPLIANT Resource 2 12/05/2023 14:55:16 Project 1 Link 2
product2.googleapis.com 1 COMPLIANT Resource 3 def 5 >=5 COMPLIANT Resource 3 12/05/2023 15:55:16 Project 1 Link 3

Evidence

Evidence includes all the resources evaluated for each control, including a raw dump of asset data along with the command that was run to produce the output.

In the destination bucket(s), evidence uses the following naming convention:

audit-reports/audit_CONTROL_PACKAGE_NAME_TIMESTAMP/UNIQUE_ID/evidences/evidenceEVIDENCE_ID.json

The placeholder values are described as follows:

  • CONTROL_PACKAGE_NAME: The name of the control package, such as FEDRAMP_MODERATE.
  • TIMESTAMP: A timestamp when the report was generated.
  • UNIQUE_ID: A unique ID for the report.
  • EVIDENCE_ID: A unique ID for the evidence.