Overview of Access Transparency

This page introduces Access Transparency logging.

Introduction

As part of Google's long-term commitment to security and transparency, we developed the Access Transparency product, which provides you with logs of actions taken by Google staff when accessing your data.

Alongside your other logs in Stackdriver Logging, you can also see logs of Google's activity, including: actions by the Support team that you may have requested by phone, lower level engineering investigations into your support requests, or other actions made for valid business purposes, such as recovering from an outage.

When to use Access Transparency

There are a variety of reasons why you might need Access Transparency. Some examples include:

  • Verifying that Google is accessing your data only for valid business reasons, such as fixing a fault or attending to your requests.
  • Verifying that Google’s staff have not made an error when carrying out your instructions.
  • Verifying and tracking compliance with legal/regulatory obligations.
  • Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool.

Requirements for using Access Transparency

If you have a Platinum or Gold support package for your GCP organization, you can enable Access Transparency using the Google Cloud Platform Console. You will also need certain IAM roles and permissions.

If you have an equivalent Role-Based support package, you can also enable Access Transparency by contacting Sales or Support. You will not need special IAM roles or permissions. For information on contacting GCP Sales or Support, see GCP Support.

If you're not sure if you have a paid technical support package, check your Cloud Support console:

Visit your Cloud Support Console

Roles and permissions

To enable Access Transparency using the Google Cloud Platform Console, you need two IAM roles: Organization Admin and Access Transparency Admin. To learn more about how to grant IAM roles, see the IAM documentation.

You can also create a custom role containing the axt.labels.get and axt.labels.set permissions. To find out more about custom roles, see the IAM documentation on custom roles.

Configuring Access Transparency

The following information provides you with instructions on how to enable or disable Access Transparency.

Enabling Access Transparency

Once you have verified that your GCP organization meets the requirements for enabling Access Transparency, do the following steps:

  1. Go to the Google Cloud Platform Console IAM & Admin Settings page:

    Go to IAM & Admin Settings

  2. In your GCP organization, select the GCP project for which you want to enable Access Transparency. Note that Access Transparency is configured at the GCP project level.

  3. Click the Enable Access Transparency button.

If your GCP project is not associated with a billing account or you lack the proper permissions or roles, you will not be able to enable Access Transparency using the Google Cloud Platform Console. See Requirements for using Access Transparency for details.

Disabling Access Transparency

To disable Access Transparency, contact Support. You cannot disable Access Transparency using the Google Cloud Platform Console.

For information on contacting GCP Support, see GCP Support.

Service availability

The table below lists the Google Cloud Platform services that write Access Transparency logs. GA indicates that a log type is Generally Available for a service; Beta indicates that a log type is available, but might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.

Access Transparency logs are produced by the following services:

Services with Access Transparency support Availability
App Engine1 GA
Cloud Identity and Access Management (IAM) GA
Cloud Key Management Service (KMS) GA
Cloud Storage GA
Compute Engine GA
Persistent Disk GA

1 Cloud Storage is the only compatible storage backend for App Engine currently supported by Access Transparency.

What’s included in the logs?

Access Transparency logs are generated when people working for Google access data uploaded by you into an Access Transparency supported service (for example, viewing one of the labels on your Compute Engine instance), except when:

  1. You grant the person accessing the data permission via your Cloud Identity and Access Management policy.
    • Cloud Audit Logs (when enabled) are generated whenever you have a Google employee working with you to whom you have given access via Cloud Identity and Access Management.
  2. Google is legally prohibited from notifying you of the access.
  3. The data in question is a public resource identifier. For example, GCP project IDs or Cloud Storage bucket names.
  4. The access is a system job; for example, a compression job that runs on the data.
    • Google uses an internal version of Binary Authorization to check that system code running on Access Transparency services has been reviewed by a second party.

Pricing

Access Transparency logs are non-chargeable. However, enabling Access Transparency requires certain GCP Support levels. See Requirements for using Access Transparency for details.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Stackdriver Logging