Access Transparency

This page describes Access Transparency and how to enable Access Transparency logs.

Overview

Access Transparency represents Google's long-term commitment to security and transparency by providing you with logs that capture the actions Google personnel take when accessing your content.

You might be familiar with Cloud Audit Logs, which can help you answer questions about "who did what, where, and when?" in your Google Cloud projects. While Cloud Audit Logs provides these logs about the actions taken by members within your own organization, Access Transparency provides logs of the actions taken by Google personnel.

When to use Access Transparency

You might need Access Transparency logs data for the following reasons:

  • Verifying that Google personnel are accessing your content only for valid business reasons, such as fixing an outage or when the Google Support team attends to your requests.
  • Verifying that Google personnel haven't made an error when carrying out your instructions.
  • Verifying and tracking compliance with legal or regulatory obligations.
  • Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool.

Access Transparency is enabled at the Google Cloud organization level. To enable Access Transparency per project, contact Google Cloud Support.

Requirements for using Access Transparency

To enable Access Transparency for your Google Cloud organization, it must meet one of the following requirements:

  • Your Google Cloud organization has one of the following role-based Support packages:

    • Enterprise Support
    • Four or more Development roles
    • Four or more Production roles
    • A combination of four or more Development or Production roles

    You can enable Access Transparency by contacting Google Cloud Sales or Support. You don't need special Cloud Identity and Access Management roles or permissions. For information on contacting Google Cloud Sales or Support, see Google Cloud Support.

  • Your Google Cloud organization has one of the following Support packages:

    • Platinum Support
    • Gold Support

    You can enable Access Transparency by contacting Google Cloud Support. You can also enable Access Transparency directly in the Google Cloud Console; see the configuration instructions below.

If you're not sure whether your Google Cloud organization has an appropriate Support package, check your Cloud Support console:

Go to Support Console

In the Support panel, you see either your Support status or the option to upgrade your package.

Configuring Access Transparency using the Cloud Console

If your Google Cloud organization has the Gold or Platinum support package, follow these instructions to enable or disable Access Transparency using the Cloud Console:

  1. Check your organization-level permissions:

    1. Go to the Cloud Console IAM page:

      Go to IAM

    2. If you're prompted, select the Google Cloud organization in the selector menu.

    3. Verify that you have the Cloud IAM role Access Transparency Admin (roles/axt.admin) listed in the Role column for your Member listing.

  2. Select any Google Cloud project within the organization using the selector menu.

    Access Transparency is configured on a Google Cloud project page but Access Transparency is enabled for the entire organization. To enable Access Transparency per project, contact Google Cloud Support.

  3. Verify that the Google Cloud project is associated with a billing account; you can configure Access Transparency in the Cloud Console only from a project that is associated with a billing account:

    1. In the left-hand navigation menu, select Billing. If you see the message This project is not associated with a billing account, then either select a different project or see instructions for Changing the billing account for a project.
  4. Go to the IAM & Admin > Settings page.

  5. Click the Enable Access Transparency button.

    If your Google Cloud project isn't associated with the proper Support package or billing account, or you lack the proper permissions, then this button isn't displayed. Contact Google Cloud Support for further assistance.

Disabling Access Transparency

To disable Access Transparency, contact Google Cloud Support. You cannot disable Access Transparency using the Cloud Console.

For information on contacting Google Cloud Support, see Google Cloud Support.

Google services producing Access Transparency logs

For a list of Google services that provide Access Transparency logs, go to Google services with Access Transparency logs.

What's excluded from Access Transparency logs?

Access Transparency logs are generated when Google personnel access content that you've uploaded into an Access Transparency supported service, except in the following scenarios:

  1. Google is legally prohibited from notifying you of the access.

  2. You've granted the Google personnel permission to access your content via your Cloud Identity and Access Management policy. Instead, Cloud Audit Logs (when enabled) are generated whenever you've granted Google personnel the appropriate Cloud IAM permissions.

  3. The access doesn't target a particular user's content; for example, a Google engineer querying for the average size of records in a database that contains content from multiple Google Cloud customers.

  4. The content in question is a public resource identifier. For example:

    • Google Cloud project IDs
    • Cloud Storage bucket names
    • Compute Engine VM names
    • Google Kubernetes Engine cluster names
    • BigQuery resource names (including datasets, tables, and reservations)
  5. The access is a system job or part of a standard workflow; for example, a compression job that runs on the content or disk destruction during the content deletion process. Details are as follows:

    • Google uses an internal version of Binary Authorization to check that system code running on Access Transparency services has been reviewed by multiple Google personnel before it accesses customer content. The reviewer must be designated as an owner of the source code, preventing modification by unauthorized Google personnel.

    • Google validates that the system job accessing customer content is authorized to do so. For example:

      • To grant you access to your own content
      • To index, compress, or perform other optimization operations
      • To run scheduled jobs or workloads

Google detects whether access to customer content is targeted or untargeted before generating Access Transparency logs. If there is no way to identify a customer from the content that was accessed, an Access Transparency log won't be generated.

Google strictly limits the number and permissions of personnel who could access customer content while performing tasks on low-level infrastructure. Google uses encryption to limit the ability for personnel in these situations to read customer content, and closely monitors personnel behavior with internal logging and auditing. These low-level accesses don't generate Access Transparency logs.

Pricing

Access Transparency logs are non-chargeable. However, enabling Access Transparency requires certain Google Cloud Support levels. See Requirements for using Access Transparency for details.

What's next

To understand the contents of Access Transparency log entries, see Reading Access Transparency logs.