How to Read Access Transparency Logs

This page describes how to get started with Access Transparency, the contents of Access Transparency logs, and the meaning of the log entries.

Access Transparency logs in detail

By using Access Transparency logs with Cloud Audit Logging, you can audit a record of actions taken by both your own internal organization members and Google staff. Access Transparency logs can also be integrated with your existing SIEM tools to automate your audits of these actions.

Access Transparency logs are available in the Google Cloud Platform Console alongside your Cloud Audit Logging logs. They include the following types of details:

  • The affected resource and action.
  • The time of the action.
  • The reason for the action (for example, the case number associated with a customer support request).
  • Data about the Google staff member acting on the data (for example, the staff member's location).

Set up and use Access Transparency

  1. To configure Access Transparency logs, see Configuring Access Transparency.

  2. In the Google Cloud Platform Console, set controls for who can access Access Transparency logs by assigning a user or group the Private Logs Viewer. See the Logging access control guide for details.

  3. See your Access Transparency logs in the Logs Viewer.

  4. Optional: Create a logs-based metric and then set up an alerting policy to give you timely awareness of issues surfaced by these audit logs.

Sample Access Transparency log

The following is an example of an Access Transparency log entry:

{
 insertId:  "abcdefg12345"
 jsonPayload: {
  @type:  "type.googleapis.com/google.cloud.audit.TransparencyLog"
  location: {
   principalOfficeCountry:  "US"
   principalEmployingEntity:  "Google LLC"
   principalPhysicalLocationCountry:  "CA"
  }
  product: [
   0:  "Cloud Storage"
  ]
  reason: [
    detail:  "Case number: bar123"
    type:  "CUSTOMER_INITIATED_SUPPORT"
  ]
  accesses: [
   0: {
    methodName: "GoogleInternal.Read"
    resourceName: "//googleapis.com/storage/buckets/[BUCKET_NAME]/objects/foo123"
    }
  ]
 }
 logName:  "projects/[PROJECT_NAME]/logs/cloudaudit.googleapis.com%2Faccess_transparency"
 operation: {
  id:  "12345xyz"
 }
 receiveTimestamp:  "2017-12-18T16:06:37.400577736Z"
 resource: {
  labels: {
   project_id:  "1234567890"
  }
  type:  "project"
 }
 severity:  "NOTICE"
 timestamp:  "2017-12-18T16:06:24.660001Z"
}

Log field descriptions

Field Description
insertId Unique log id.
@type Access Transparency log identifier.
principalOfficeCountry ISO 3166-1 alpha-2 country code of country in which the accessor has a permanent desk, "??" if location not available, or 3-character continent identifier where Googler is in a low-population country (ASI, EUR, OCE, AFR, NAM, SAM, ANT).
principalEmployingEntity Google entity that employs the person making the access (e.g. `Google LLC`).
principalPhysicalLocationCountry ISO 3166-1 alpha-2 country code of country from which access was made, "??" if location not available, or 3-character continent identifier where Googler is in a low-population country (ASI, EUR, OCE, AFR, NAM, SAM, ANT).
product Customer’s Google Cloud Product which was accessed
reason:detail Details of the reason, for example, a support ticket ID
reason:type Access reason type (for example CUSTOMER_INTIATED_SUPPORT)
accesses:methodName What type of access was made (for example, 'GoogleInternal.Read').
accesses:resourceName Name of resource that was accessed.
logName Name of the log location.
operation:id Log cluster ID.
receiveTimestamp Time the access was received by the logging pipeline.
project_id Project associated with the resource that was accessed.
type Type of resource which was accessed (for example, ‘project’).
severity Log severity.
timestamp Time the log was written

Justification reason codes

Reason Description
CUSTOMER_INTIATED_SUPPORT Customer-Initiated support, for example,
Case Number: ####
GOOGLE_INITIATED_SERVICE Google initiated access to perform system management and troubleshooting, which includes:
  • Backup and recovery from outages and system failures
  • Investigation to confirm that the customer is not affected by suspected service issues
  • Remediation of technical issues, such as storage failure or data corruption
THIRD_PARTY_DATA_REQUEST Google accesses customer data in order to respond to a legal request or legal process, including when we respond to legal process from the customer that requires that we access the customer's own data. Note that Access Transparency logs in this case may not be available if Google cannot legally inform you of such a request or process.
GOOGLE_INITIATED_REVIEW Google initiated access for security, fraud, abuse, or compliance purposes, including:
  • Ensuring the safety and security of customer accounts and data
  • Confirming whether data is affected by an event that may impact account security (for example, malware infections)
  • Confirming whether customer is using Google services in compliance with Google Terms of Service
  • Investigating complaints by other users and customers, or other signals of abusive activity
  • Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)
Var denne side nyttig? Giv os en anmeldelse af den:

Send feedback om...

Stackdriver Logging