Access Transparency

This page describes Access Transparency and answers some frequently asked questions.

Overview

Security, transparency, and data protection are at the core of how Google designs and builds its products. All customers of Google Cloud own their data and have complete control on how it is used. Google Cloud Trust Principles summarize Google's commitment to protecting the privacy of customer content that is stored in Google Cloud.

Access Transparency is a part of Google's long-term commitment to transparency and user trust. Access Transparency logs record the actions that Google personnel take when accessing customer content.

Access Transparency logs give you different information than Cloud Audit Logs. Cloud Audit Logs record the actions that members of your Google Cloud organization have taken in your Google Cloud resources, whereas Access Transparency logs record the actions taken by Google personnel.

Access by temporary, vendor, and contract workers of an organization is also considered administrative access, and Access Transparency logs it. Access Transparency can help you meet the requirements for vendor data access logging.

Access Transparency log entries include details such as the affected resource and action, the time of the action, the reason for the action, and information about the accessor. The information about the accessor includes details about the physical location and job category of the Google employee. For more information about the details covered in Access Transparency logs, see Log field descriptions.

When to use Access Transparency

You might need Access Transparency logs for the following reasons:

  • Verifying that Google personnel are accessing your content only for valid business reasons, such as fixing an outage or attending to your support requests.
  • Verifying that Google personnel haven't made an error while carrying out your instructions.
  • Verifying and tracking compliance with legal or regulatory obligations.
  • Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool.

Use Access Transparency logs to improve the overall security posture

You can use Access Transparency logs by exporting them to your security information and event management (SIEM) tools for compliance or auditing purposes. To do this, you can deploy a unified export pipeline that uses Pub/Sub and Dataflow to aggregate and stream logs from Access Transparency. You can also export security findings from Security Command Center and asset changes from Cloud Asset Inventory to enrich the security data that your SIEM tool uses to identify potential security threats and vulnerabilities.

Google services producing Access Transparency logs

For the list of Google services that provide Access Transparency logs, see Google services with Access Transparency logs.

When can Google personnel access customer content?

Google personnel are strictly restricted in what is visible to them. All accesses to customer content require a valid justification. See Justification reason codes for the list of valid business justifications.

How does Google train its employees on the confidentiality of customer content?

All Google employees are required to execute a confidentiality agreement and comply with Google's Code of Conduct. For more information on employee onboarding, and security and privacy training, see the Google security whitepaper.

How does Google handle government requests for customer content?

If Google receives a government request for customer content, it is Google's policy to direct the government to request such data directly from the Google Cloud customer. For more information, see Google Cloud Government Requests whitepaper.

What's next

Try it for yourself

If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Get started for free