This document lists all the services that write Access Transparency logs.
GA indicates that a log type is generally available for a service. Preview indicates that a log type is available, but might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
If you want to enable Access Transparency logs, see Enabling Access Transparency.
Supported Google Cloud services
Access Transparency supports the following Google Cloud services:
|Google Cloud services with Access Transparency support||Availability|
|Anthos clusters on VMware||GA|
|Cloud Data Fusion||GA|
|Cloud Data Loss Prevention||GA|
|Cloud External Key Manager||GA|
|Cloud Healthcare API3||GA|
|Cloud Key Management Service (KMS)||GA|
|Contact Center AI Insights||GA|
|Google Kubernetes Engine||GA|
|Identity and Access Management||GA|
|Organization Policy Service||GA|
|Vertex AI Feature Store||GA|
|Vertex AI Workbench user-managed notebooks||GA|
1 Cloud Storage and Cloud SQL are the only
compatible storage backends for App Engine
currently supported by Access Transparency.
2 Some information about your queries, tables, and datasets might not generate an Access Transparency log entry if viewed by Google Cloud Support. Viewing query text, table names, dataset names, and dataset access control lists might not generate Access Transparency log entries; this access pathway gives read-only access. Viewing query results and table or dataset data generates Access Transparency log entries.
Some Access Transparency logs for BigQuery might not contain the
Data in queries residing in non-Google regions for BigQuery Omni does not generate an Access Transparency log entry.
3 Features within Cloud Healthcare API that are not yet generally available might not generate Access Transparency logs. For more information, see the Cloud Healthcare API documentation.
4 Requests that use either the
v1beta2 API version or features
exposed through the
will not generate Access Transparency logs.
5 Access Transparency doesn't support Firestore Security Rules. We recommend that you don't put core content in document names, document field names, Datastore entity names, and entity property names.
6 Some information about your topics and subscriptions might not generate an Access Transparency log entry if viewed by Google Cloud Support. Viewing topic names, subscription names, message attributes, and timestamps might not generate Access Transparency log entries; this access pathway gives read-only access. Viewing message payloads generates Access Transparency log entries.
7 There are some scenarios for which access to your data in Vertex AI by Google personnel isn't logged. See Limitations of Access Transparency in Vertex AI for the complete list of such scenarios.
Support for Google Workspace
Several Google Workspace services such as Gmail, Google Docs, Google Calendar, and Google Drive record the actions that Google personnel take when accessing customer content.
Access Transparency logs help ensure that Google personnel access customer content with a valid business justification. Access Transparency logs can also help security information and event management (SIEM) tools identify data exfiltration and exposure to external malicious actors targeting your Google Workspace resources. You can use the Google Cloud console to access the Access Transparency logs that Google Workspace services generate.
For more information about Access Transparency logs for Google Workspace, including the list of Google Workspace services that support Access Transparency, see Access Transparency: View logs on Google access to user content.
For information about viewing and understanding the Access Transparency logs that Google Workspace services generate, see Viewing Access Transparency logs for Google Workspace.
For information about the audit logs that Google Workspace services generate, see Cloud Audit Logs for Google Workspace.