This page describes the contents of Access Transparency log entries and how to view and use them.
Access Transparency logs in detail
Access Transparency logs can be integrated with your existing security information and event management (SIEM) tools to automate your audits of Google personnel when they access your content. Access Transparency logs are available in the Google Cloud Console alongside your Cloud Audit Logs logs.
Access Transparency log entries include the following types of details:
- The affected resource and action.
- The time of the action.
- The reasons for the action (for example, the case number associated with a customer support request).
- Data about who is acting on the content (for example, the Google personnel's location).
Configuring Access Transparency
To configure Access Transparency logs, see the Access Transparency overview.
Viewing Access Transparency logs
After you've configured Access Transparency for your Google Cloud organization, you can set controls for who can access the Access Transparency logs by assigning a user or group the Private Logs Viewer role. See the Cloud Logging access control guide for details.
To learn how to see your Access Transparency logs in the Logs Explorer, see Using the Logs Explorer.
You can monitor the logs by using the Cloud Monitoring API or using Cloud Functions. To get started, see the Cloud Monitoring documentation.
Optional: Create a logs-based metric and then set up an alerting policy to give you timely awareness of issues surfaced by these logs.
Sample Access Transparency log entry
The following is an example of an Access Transparency log entry:
{ insertId: "abcdefg12345" jsonPayload: { @type: "type.googleapis.com/google.cloud.audit.TransparencyLog" location: { principalOfficeCountry: "US" principalEmployingEntity: "Google LLC" principalPhysicalLocationCountry: "CA" } product: [ 0: "Cloud Storage" ] reason: [ detail: "Case number: bar123" type: "CUSTOMER_INITIATED_SUPPORT" ] accesses: [ 0: { methodName: "GoogleInternal.Read" resourceName: "//googleapis.com/storage/buckets/BUCKET_NAME/objects/foo123" } ] } logName: "projects/Google Cloud project/logs/cloudaudit.googleapis.com%2Faccess_transparency" operation: { id: "12345xyz" } receiveTimestamp: "2017-12-18T16:06:37.400577736Z" resource: { labels: { project_id: "1234567890" } type: "project" } severity: "NOTICE" timestamp: "2017-12-18T16:06:24.660001Z" }
Log field descriptions
Field | Description |
---|---|
insertId |
Unique identifier for the log. |
@type |
Access Transparency log identifier. |
principalOfficeCountry |
ISO 3166-1 alpha-2 country code of country in which the accessor has
a permanent desk, ?? if location not available, or
3-character continent identifier where Google personnel are in a
low-population country. |
principalEmployingEntity |
The entity that employs the Google personnel making the access
(for example, Google LLC ). |
principalPhysicalLocationCountry |
ISO 3166-1 alpha-2 country code of country from which access was made,
?? if location not available, or 3-character continent
identifier where Google personnel are in a low-population country. |
product |
Customer’s GCP product that was accessed. |
reason:detail |
Details of the reason, for example, a support ticket ID. |
reason:type |
Access
reason type
(for example, CUSTOMER_INITIATED_SUPPORT) . |
accesses:methodName |
What type of access was made (for example, GoogleInternal.Read ).
|
accesses:resourceName |
Name of resource that was accessed. |
logName |
Name of the log location. |
operation:id |
Log cluster ID. |
receiveTimestamp |
Time the access was received by the logging pipeline. |
project_id |
Project associated with the resource that was accessed. |
type |
Type of resource that was accessed (for example, project ). |
severity |
Log severity. |
timestamp |
Time the log was written. |
Justification reason codes
Reason | Description |
---|---|
CUSTOMER_INITIATED_SUPPORT |
Customer-initiated support, for example, Case Number: ####
|
GOOGLE_INITIATED_SERVICE |
Google-initiated access, for example, to perform system management and
troubleshooting, which includes:
|
THIRD_PARTY_DATA_REQUEST |
Customer-initiated access by Google to respond to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own content. Note that Access Transparency logs in this case may not be available if Google cannot legally inform the customer of such a request or process. |
GOOGLE_INITIATED_REVIEW |
Google-initiated access for security, fraud, abuse, or compliance
purposes, including:
|
Monitoring Access Transparency logs
You can monitor Access Transparency logs by using the Cloud Monitoring API. To get started, see the Cloud Monitoring documentation.
You can set up a
logs-based metric and then
set up an
alerting policy
to give you timely awareness of issues surfaced by these logs.
For example, you can create a logs-based metric that captures
Google personnel accesses of your content and then create an alerting policy in
Monitoring that lets you know if the number of accesses in a
given period exceeds a specified threshold.