Disabling Exempted Users in Cloud Audit Logging
Emanuel Burgess
Developer Relations Engineer
Disabling Exempted Users in Cloud Audit Logging
Exempted Users in GCP
Identity and Access Management (IAM) is a collection of tools that allows administrators to define who can do what on resources in a Google Cloud account. Audit logging is a tool that administrators can enable within IAM to enforce compliance, audit activities and improve security posture within an organization. Google Cloud services write audit logs that record different types of access to Google Cloud resources. For example, when metadata or configuration settings are updated, services write an Admin Activity log entry. You can enable additional log types as well.
In some rare cases, an organization might want to disable audit logging—typically for specific service accounts, but potentially for other types of principals, such as specific users or groups. For these rare cases, you can create a list of exempted principals. When you add a principal to the exempted principals list, audit logs aren't created for those principals for the selected log types.(This exemption doesn't apply to Admin Activity logs, meaning that these logs are always generated regardless of exemption status.)
Although many customers find it useful to exempt principals from audit logging, this feature can also create a security risk under some conditions. We understand that some administrators may not want to have this feature available for their organization. We've listened to your feedback and implemented a solution to address this concern.
In April 2022, we rolled out a Disable Audit Logging exemption organization policy constraint for our Identity and Access Management (IAM) service. This new constraint prevents you from exempting additional principals from audit logging. You can enable this constraint at the organization or folder level, without affecting any principals that are currently exempt from audit logging.
Many thanks to all of our customers who provided feedback on this feature! We hope these changes will make the feature easier to use. Please continue to use the "submit feedback" button inside Google Cloud services, and engage with us on social media at @GoogleCloudTech.
