This page describes Access Transparency and how to enable Access Transparency logs.
As part of Google's long-term commitment to security and transparency, you now can use Access Transparency, which provides you with logs of actions taken by Google staff when accessing your data.
You might be familiar with Cloud Audit Logs logs, which can help you answer questions about “who did what, where, and when?” in your Google Cloud Platform projects. While Cloud Audit Logs provides these logs about actions taken by members within your own organization, Access Transparency provides logs of actions taken by Google staff.
Alongside your other logs in Stackdriver Logging, Access Transparency logs include data about: actions by the Support team that you may have requested by phone, lower-level engineering investigations into your support requests, or other investigations made for valid business purposes, such as recovering from an outage.
If you require the ability to approve access before it happens, go to the Access Approval documentation.
When to use Access Transparency
There are a variety of reasons why you might need Access Transparency. Some examples include:
- Verifying that Google is accessing your data only for valid business reasons, such as fixing a fault or attending to your requests.
- Verifying that Google’s staff have not made an error when carrying out your instructions.
- Verifying and tracking compliance with legal/regulatory obligations.
- Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool.
Access Transparency is enabled for the entire GCP organization. To enable Access Transparency per project, contact GCP Support.
Requirements for using Access Transparency
You can enable Access Transparency for your GCP organization if it meets one of the following requirements:
Your GCP organization has one of the following role-based support packages:
- Enterprise Support
- Four or more Development roles
- Four or more Production roles
- A combination of four or more Development or Production roles
You can enable Access Transparency by contacting GCP Sales or Support. You will not need special Cloud Identity and Access Management roles or permissions. For information on contacting GCP Sales or Support, see GCP Support.
Your GCP organization has a Platinum or Gold support package. You can enable Access Transparency using the Google Cloud Platform Console or by contacting GCP Support. You also need certain Cloud IAM permissions and a project with an associated billing account; both requirements are discussed in the configuration instructions below.
If you're not sure whether your GCP organization has an appropriate technical support package, check your Cloud Support console:
In the Support panel, you will see your Support status or the option to upgrade your package.
Configuring Access Transparency using the GCP Console
If you have determined that your GCP organization has the required Gold or Platinum support package, as described above, then you can use the following instructions to enable or disable Access Transparency using the GCP Console:
Check your organization-level permissions:
Go to the GCP Console IAM page:
If you are prompted, select the GCP organization in the selector menu atop the page.
Verify that you have the Cloud IAM role Access Transparency Admin (
roles/axt.admin) listed in the Role column for your Member listing.
Select any GCP project within the organization using the selector menu atop the page.
Access Transparency is configured on a GCP project page but Access Transparency is enabled for the entire organization. To enable Access Transparency per project, contact GCP Support.
Verify that the GCP project is associated with a billing account; you can configure Access Transparency in the GCP Console only from a project that is associated with a billing account:
- In the left-hand navigation menu, select Billing. If you see the message This project is not associated with a billing account, then either select a different project or see instructions for Changing the billing account for a project.
Go to the IAM & Admin > Settings page.
Click the Enable Access Transparency button.
If your GCP project is not associated with the proper support package or billing account, or you lack the proper permissions, then this button isn't displayed. Contact GCP Support for further assistance.
Disabling Access Transparency
To disable Access Transparency, contact GCP Support. You cannot disable Access Transparency using the GCP Console.
For information on contacting GCP Support, see GCP Support.
The table below lists the GCP services that write Access Transparency logs. GA indicates that a log type is generally available for a service; Beta indicates that a log type is available, but might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
Access Transparency logs are produced by the following services:
|GCP services with Access Transparency support||Availability|
|Cloud Identity and Access Management||GA|
|Cloud Key Management Service (KMS)||GA|
|Google Kubernetes Engine||Beta|
1 Cloud Storage is the only compatible storage backend for App
currently supported by Access Transparency.
2 Some information about your queries, tables, and datasets might not generate an Access Transparency log if viewed by GCP Support. Viewing query text, table names, dataset names, and dataset access control lists might not generate Access Transparency logs. This access pathway gives read-only access. Viewing query results and table or dataset data will still generate Access Transparency logs.
What’s included in the logs?
Access Transparency logs are generated when people working for Google access data uploaded by you into an Access Transparency supported service (for example, viewing one of the labels on your Compute Engine instance), except when:
- You grant the person accessing the data permission via your Cloud Identity and Access Management
- Cloud Audit Logs (when enabled) are generated whenever you have a Google employee working with you to whom you have given access via Cloud IAM.
- Google is legally prohibited from notifying you of the access.
- The data in question is a public resource identifier; for example, GCP project IDs or Cloud Storage bucket names.
- The access is a system job; for example, a compression job that runs on the
- Google uses an internal version of Binary Authorization to check that system code running on Access Transparency services has been reviewed by a second party.
Access Transparency logs are non-chargeable. However, enabling Access Transparency requires certain GCP support levels. See Requirements for using Access Transparency for details.
To understand the contents of Access Transparency log entries, see Reading Access Transparency logs.