This page introduces Access Transparency logging.
As part of Google's long-term commitment to security and transparency, we developed the Access Transparency product, which provides you with logs of actions taken by Google staff when accessing your data.
Alongside your other logs in Stackdriver Logging, you can also see logs of Google's activity, including: actions by the Support team that you may have requested by phone, lower level engineering investigations into your support requests, or other actions made for valid business purposes, such as recovering from an outage.
When to use Access Transparency
There are a variety of reasons why you might need Access Transparency. Some examples include:
- Verifying that Google is accessing your data only for valid business reasons, such as fixing a fault or attending to your requests.
- Verifying that Google’s staff have not made an error when carrying out your instructions.
- Verifying and tracking compliance with legal/regulatory obligations.
- Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool.
Requirements for using Access Transparency
If you have a Platinum or Gold support package for your GCP organization, you can enable Access Transparency using the Google Cloud Platform Console. You will also need certain IAM roles and permissions.
If you have an equivalent Role-Based support package, you can also enable Access Transparency by contacting Sales or Support. You will not need special IAM roles or permissions. For information on contacting GCP Sales or Support, see GCP Support.
If you're not sure if you have a paid technical support package, check your Cloud Support console:
Roles and permissions
To enable Access Transparency using the Google Cloud Platform Console, you need two IAM roles:
Organization Admin and
Access Transparency Admin. To learn more
about how to grant IAM roles, see the IAM documentation.
You can also create a custom role containing the
axt.labels.set permissions. To find out more about custom roles, see the IAM
documentation on custom roles.
Configuring Access Transparency
The following information provides you with instructions on how to enable or disable Access Transparency.
Enabling Access Transparency
Once you have verified that your GCP organization meets the requirements for enabling Access Transparency, do the following steps:
- Go to the Google Cloud Platform Console IAM & Admin Settings page:
- In your GCP organization, select the GCP project for which you want to enable Access Transparency. Note that Access Transparency is configured at the GCP project level.
- Click the Enable Access Transparency button.
If your GCP project is not associated with a billing acocunt or you lack the proper permissions or roles, you will not be able to enable Access Transparency using the Google Cloud Platform Console. See Requirements for using Access Transparency for details.
Disabling Access Transparency
To disable Access Transparency, contact Support. You cannot disable Access Transparency using the Google Cloud Platform Console.
For information on contacting GCP Support, see GCP Support.
The table below lists the Google Cloud Platform services that write Access Transparency logs. GA indicates that a log type is Generally Available for a service; Beta indicates that a log type is available, but might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
Access Transparency logs are produced by the following services:
|Services with Access Transparency support||Availability|
|Cloud Identity and Access Management (IAM)||GA|
|Cloud Key Management Service (KMS)||GA|
1 Cloud Storage is the only compatible storage backend for App
currently supported by Access Transparency.
What’s included in the logs?
Access Transparency logs are generated when people working for Google access data uploaded by you into an Access Transparency supported service (for example, viewing one of the labels on your Compute Engine instance), except when:
- You grant the person accessing the data permission via your Cloud Identity and Access Management
- Cloud Audit Logs (when enabled) are generated whenever you have a Google employee working with you to whom you have given access via Cloud Identity and Access Management.
- Google is legally prohibited from notifying you of the access.
- The data in question is a public resource identifier. For example, GCP project IDs or Cloud Storage bucket names.
- The access is a system job; for example, a compression job that runs on the
- Google uses an internal version of Binary Authorization to check that system code running on Access Transparency services has been reviewed by a second party.
Access Transparency logs are non-chargeable. However, enabling Access Transparency requires certain GCP Support levels. See Requirements for using Access Transparency for details.
- Learn how to configure and read Access Transparency.