Best practices for Cloud Audit Logs

This guides compiles best practices for configuring Cloud Audit Logs to meet your organization's logging needs around security, investigations, and compliance.

Introduction

Cloud Audit Logs helps security, auditing, and compliance entities maintain audit trails in Google Cloud. With Cloud Audit Logs, your enterprise can attain the same level of transparency over administrative activities and accesses to data in Google Cloud as in on-premises environments.

Configuring Cloud Audit Logs

  • Determine and apply your organization-level data access policy. For more information, go to Configuring Data Access audit logs.

  • Use a test Google Cloud project to validate the configuration of your Data Access audit logs collection before propagating to developer and production projects.

  • Adopt a least-privilege approach to granting permissions.

  • Data Access audit logs are off by default. When you enable new Google Cloud services, evaluate whether or not to enable Data Access audit logs for that new service. Only BigQuery has Data Access audit logs enabled by default.

  • Consider pricing implications.

  • Configure exports for your audit logs at the appropriate Google Cloud resource levels.

  • Configure alerts to distinguish between events that require immediate investigation versus low-priority events.

Pricing considerations

  • Be aware that Data Access audit logs can be quite large and that you might incur additional costs for storage. For pricing information, go to Pricing: Logging details.

  • Make sure to exclude logging data that isn't useful.

    • For example, you shouldn't need to log Data Access audit logs in development projects.

Least privilege

  • Be sure that you've applied the appropriate Identity and Access Management controls to restrict who can access the audit logs by granting the appropriate Cloud Logging roles to your users.

  • Use the configuring roles for audit logging guidance.

  • Apply the same access policies to the Google Cloud destination that you use to export logs as you applied to the Logs Explorer.

Viewing and understanding logs

If you need to troubleshoot, being able to quickly look at logs is a requirement:

  • Understand your options for viewing audit logs.

  • Understand the format of an audit log entry.

    • If exporting to BigQuery, understand the format of the data that has been exported and how to query the exported data. For more information, go to BigQuery schema for exported logs.
  • Understand and use Logging query language to configure queries, sinks, and alerts.

  • Use the mapping service to resource types table when creating logging queries.

  • Train your support team on how to use audit logging to assist in troubleshooting.

    • Make sure that your support team can access the audit logs.

    • Create a quick how-to guide for the members of your support team who might be on rotatation so that they know how to troubleshoot common problems.

Export configuration

  • Design aggregated sinks on which your organization can query and export the data for future analysis.

  • Most exports are at the Google Cloud project level. Determine whether you need folder-level or organization-level exports to set up a sink at the IAM organization or folder level, and export logs from all the projects inside the organization or folder. For example, you might consider these export levels depending on your export use case:

    • Organization-level export. If your organization uses a SIEM to manage multiple audit logs, you might want to export all of your organization's audit logs. Thus, an organization-level export makes sense.

    • Folder-level export. Sometimes, you might want to only export departmental audit logs. For example, if you have a "Finance" folder and an "IT" folder, you might find value in only exporting the audit logs belonging to the "Finance" folder, or vice versa.

    For more information, go to Resource hierarchy.

  • Determine whether you need to export logs for longer-term retention; if so, set up a log sink before you start receiving logs. You can't retroactively export logs that were written before the sink was created.

    • For example, the following gcloud command-line tool command sends all Admin Activity audit logs from your entire Google Cloud organization to a single BigQuery sink:

      gcloud logging sinks create my-bq-sink bigquery.googleapis.com/projects/my-project/datasets/my_dataset --log-filter='logName: "logs/cloudaudit.googleapis.com%2Factivity"' --organization=1234 --include-children

    Note that destination charges might apply to your exports.

  • Follow the best practices for common logging export scenarios.

  • Export your Compute Engine firewall logs to the same sink as your audit logs.