This page describes Access Transparency and how to enable Access Transparency logs.
As part of Google's long-term commitment to security and transparency, you can use Access Transparency, which provides you with logs of actions taken by Google staff when accessing your data.
You might be familiar with Cloud Audit Logs logs, which can help you answer questions about “who did what, where, and when?” in your Google Cloud projects. While Cloud Audit Logs provides these logs about actions taken by members within your own organization, Access Transparency provides logs of actions taken by Google staff.
Alongside your other logs in Stackdriver Logging, Access Transparency logs include data about: actions by the Support team that you may have requested by phone, lower-level engineering investigations into your support requests, or other investigations made for valid business purposes, such as recovering from an outage.
If you require the ability to approve access before it happens, go to the Access Approval documentation.
When to use Access Transparency
There are a variety of reasons why you might need Access Transparency. Some examples include:
- Verifying that Google is accessing your data only for valid business reasons, such as fixing a fault or attending to your requests.
- Verifying that Google’s staff have not made an error when carrying out your instructions.
- Verifying and tracking compliance with legal/regulatory obligations.
- Collecting and analyzing tracked access events through an automated security information and event management (SIEM) tool.
Access Transparency is enabled for the entire Google Cloud organization. To enable Access Transparency per project, contact Google Cloud Support.
Requirements for using Access Transparency
You can enable Access Transparency for your Google Cloud organization if it meets one of the following requirements:
Your Google Cloud organization has one of the following role-based support packages:
- Enterprise Support
- Four or more Development roles
- Four or more Production roles
- A combination of four or more Development or Production roles
You can enable Access Transparency by contacting Google Cloud Sales or Support. You will not need special Cloud Identity and Access Management roles or permissions. For information on contacting Google Cloud Sales or Support, see Google Cloud Support.
Your Google Cloud organization has a Platinum or Gold support package. You can enable Access Transparency using the Google Cloud Console or by contacting Google Cloud Support. You also need certain Cloud IAM permissions and a project with an associated billing account; both requirements are discussed in the configuration instructions below.
If you're not sure whether your Google Cloud organization has an appropriate technical support package, check your Cloud Support console:
In the Support panel, you will see your Support status or the option to upgrade your package.
Configuring Access Transparency using the Cloud Console
If you have determined that your Google Cloud organization has the required Gold or Platinum support package, as described above, then you can use the following instructions to enable or disable Access Transparency using the Cloud Console:
Check your organization-level permissions:
Go to the Cloud Console IAM page:
If you are prompted, select the Google Cloud organization in the selector menu atop the page.
Verify that you have the Cloud IAM role Access Transparency Admin (
roles/axt.admin) listed in the Role column for your Member listing.
Select any Google Cloud project within the organization using the selector menu atop the page.
Access Transparency is configured on a Google Cloud project page but Access Transparency is enabled for the entire organization. To enable Access Transparency per project, contact Google Cloud Support.
Verify that the Google Cloud project is associated with a billing account; you can configure Access Transparency in the Cloud Console only from a project that is associated with a billing account:
- In the left-hand navigation menu, select Billing. If you see the message This project is not associated with a billing account, then either select a different project or see instructions for Changing the billing account for a project.
Go to the IAM & Admin > Settings page.
Click the Enable Access Transparency button.
If your Google Cloud project is not associated with the proper support package or billing account, or you lack the proper permissions, then this button isn't displayed. Contact Google Cloud Support for further assistance.
Disabling Access Transparency
To disable Access Transparency, contact Google Cloud Support. You cannot disable Access Transparency using the Cloud Console.
For information on contacting Google Cloud Support, see Google Cloud Support.
The table below lists the Google Cloud services that write Access Transparency logs. GA indicates that a log type is generally available for a service; Beta indicates that a log type is available, but might be changed in backward-incompatible ways and is not subject to any SLA or deprecation policy.
Access Transparency logs are produced by the following services:
|Google Cloud services with Access Transparency support||Availability|
|Cloud Identity and Access Management||GA|
|Cloud Key Management Service (KMS)||GA|
|Google Kubernetes Engine||Beta|
1 Cloud Storage is the only compatible storage backend for App
currently supported by Access Transparency.
2 Some information about your queries, tables, and datasets might not generate an Access Transparency log if viewed by Google Cloud Support. Viewing query text, table names, dataset names, and dataset access control lists might not generate Access Transparency logs; this access pathway gives read-only access. Viewing query results and table or dataset data will still generate Access Transparency logs.
3 Some information about your topics and subscriptions might not generate an Access Transparency log if viewed by Google Cloud Support. Viewing topic names, subscription names, message attributes, and timestamps might not generate Access Transparency logs; this pathway gives read-only access. Viewing message payloads will still generate Access Transparency logs.
What’s included in the logs?
Access Transparency logs are generated if Google staff accesses data that you uploaded into a supported Google Cloud service (for example, viewing one of the labels on your Compute Engine instance), except when:
- You grant the person accessing the data permission via your Cloud Identity and Access Management
- Cloud Audit Logs (when enabled) are generated whenever you have a Google employee working with you to whom you have given access via Cloud IAM.
- Google is legally prohibited from notifying you of the access.
- The data in question is a public resource identifier; for example, Google Cloud project IDs or Cloud Storage bucket names.
- The access is a system job; for example, a compression job that runs on the
- Google uses an internal version of Binary Authorization to check that system code running on Access Transparency services has been reviewed by a second party.
Access Transparency logs are non-chargeable. However, enabling Access Transparency requires certain Google Cloud Support levels. See Requirements for using Access Transparency for details.
To understand the contents of Access Transparency log entries, see Reading Access Transparency logs.