Reading Access Transparency logs

This page describes the contents of Access Transparency log entries.

Access Transparency logs in detail

Access Transparency provides you with logs of actions taken by Google employees in your Google Cloud Platform organization. Access Transparency logs, alongside the Cloud Audit Logging logs of actions taken by your own internal members, can help you answer questions about “who did what, where, and when?”.

Access Transparency logs can be integrated with your existing security information and event management (SIEM) tools to automate your audits of these actions. These logs are available in the Google Cloud Platform Console alongside your Cloud Audit Logging logs.

Access Transparency log entries include the following types of details:

  • The affected resource and action.
  • The time of the action.
  • The reasons for the action (for example, the case number associated with a customer support request).
  • Data about who is acting on the data (for example, the Google staff member's location).

Set up Access Transparency

To configure Access Transparency logs, see the Access Transparency overview.

Viewing Access Transparency logs

Once you have configured Access Transparency for your GCP organization, set controls for who can access Access Transparency logs by assigning a user or group the Private Logs Viewer role. See the Logging access control guide for details.

To learn how to see your Access Transparency logs in the Logs Viewer, see Viewing logs.

You can monitor the logs by using the Stackdriver APIs or using Cloud Functions. To get started, see the Stackdriver Monitoring documentation.

Optional: Create a logs-based metric and then set up an alerting policy to give you timely awareness of issues surfaced by these audit logs.

Sample Access Transparency log

The following is an example of an Access Transparency log entry:

{
 insertId:  "abcdefg12345"
 jsonPayload: {
  @type:  "type.googleapis.com/google.cloud.audit.TransparencyLog"
  location: {
   principalOfficeCountry:  "US"
   principalEmployingEntity:  "Google LLC"
   principalPhysicalLocationCountry:  "CA"
  }
  product: [
   0:  "Cloud Storage"
  ]
  reason: [
    detail:  "Case number: bar123"
    type:  "CUSTOMER_INITIATED_SUPPORT"
  ]
  accesses: [
   0: {
    methodName: "GoogleInternal.Read"
    resourceName: "//googleapis.com/storage/buckets/[BUCKET_NAME]/objects/foo123"
    }
  ]
 }
 logName:  "projects/[PROJECT_NAME]/logs/cloudaudit.googleapis.com%2Faccess_transparency"
 operation: {
  id:  "12345xyz"
 }
 receiveTimestamp:  "2017-12-18T16:06:37.400577736Z"
 resource: {
  labels: {
   project_id:  "1234567890"
  }
  type:  "project"
 }
 severity:  "NOTICE"
 timestamp:  "2017-12-18T16:06:24.660001Z"
}

Log field descriptions

Field Description
insertId Unique identifier for the log.
@type Access Transparency log identifier.
principalOfficeCountry ISO 3166-1 alpha-2 country code of country in which the accessor has a permanent desk, ?? if location not available, or 3-character continent identifier where a Google employee is in a low-population country.
principalEmployingEntity The Google entity that employs the person making the access (for example, Google LLC).
principalPhysicalLocationCountry ISO 3166-1 alpha-2 country code of country from which access was made, ?? if location not available, or 3-character continent identifier where a Google employee is in a low-population country.
product Customer’s GCP product that was accessed.
reason:detail Details of the reason, for example, a support ticket ID.
reason:type Access reason type (for example, CUSTOMER_INTIATED_SUPPORT).
accesses:methodName What type of access was made (for example, GoogleInternal.Read).
accesses:resourceName Name of resource that was accessed.
logName Name of the log location.
operation:id Log cluster ID.
receiveTimestamp Time the access was received by the logging pipeline.
project_id Project associated with the resource that was accessed.
type Type of resource that was accessed (for example, project).
severity Log severity.
timestamp Time the log was written.

Justification reason codes

Reason Description
CUSTOMER_INTIATED_SUPPORT Customer-initiated support, for example, Case Number: ####
GOOGLE_INITIATED_SERVICE Google-initiated access, for example, to perform system management and troubleshooting, which includes:
  • Backup and recovery from outages and system failures
  • Investigation to confirm that the customer is not affected by suspected service issues
  • Remediation of technical issues, such as storage failure or data corruption
THIRD_PARTY_DATA_REQUEST Customer-initiated access by Google to respond to a legal request or legal process, including when responding to legal process from the customer that requires Google to access the customer's own data. Note that Access Transparency logs in this case may not be available if Google cannot legally inform the customer of such a request or process.
GOOGLE_INITIATED_REVIEW Google-initiated access for security, fraud, abuse, or compliance purposes, including:
  • Ensuring the safety and security of customer accounts and data
  • Confirming whether data is affected by an event that may impact account security (for example, malware infections)
  • Confirming whether customer is using Google services in compliance with Google Terms of Service
  • Investigating complaints by other users and customers, or other signals of abusive activity
  • Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)
Var denne side nyttig? Giv os en anmeldelse af den:

Send feedback om...

Stackdriver Logging
Har du brug for hjælp? Besøg vores supportside.