How to Read Access Transparency Logs

This page describes how to get started with Access Transparency, the contents Access Transparency logs, and the meaning of the log entries.

Access Transparency logs in detail

Google Cloud Platform customers will likely already be familiar with Cloud Audit Logging logs, which are designed to help you answer the question of “who did what, where, and when?” in respect to your platform configuration and data. While Cloud Audit Logging provides this capability for your own staff, until now the actions of Google staff were not visible inside these logs.

By using Access Transparency logs together with Cloud Audit Logging, you can audit a record of actions taken by both your own staff and Google staff. Access Transparency logs can also be integrated with your existing SIEM tools to automate your audits of these actions.

Access Transparency logs are available in the same console in which you find your Cloud Audit Logging logs, with detail showing:

  • The affected resource and action
  • The time of the action
  • The reason for the action (for example, the case number associated with a customer support request)
  • Data about the Google staff member acting on the data (for example, location)

Set up and use Access Transparency

  1. Enable Access Transparency logging by contacting GCP Sales or GCP Support.

  2. In the GCP Console, set controls for who can access Access Transparency logs by assigning a user or group the Private Logs Viewer. See the Logging Access Control Guide for details.

  3. See your Access Transparency logs in the Logs Viewer.

  4. Optional: Create a logs-based metric and then set up an alerting policy to give you timely awareness of issues surfaced by these audit logs.

Sample Access Transparency log

The following is an example of an Access Transparency log entry.

{
 insertId:  "abcdefg12345"
 jsonPayload: {
  @type:  "type.googleapis.com/google.cloud.audit.TransparencyLog"
  location: {
   principalOfficeCountry:  "US"
   principalEmployingEntity:  "Google, LLC"
   principalPhysicalLocationCountry:  "CA"
  }
  product: [
   0:  "Cloud Storage"
  ]
  reason: [
    detail:  "Case number: bar123"
    type:  "CUSTOMER_INITIATED_SUPPORT"
  ]
  accesses: [
   0: {
    methodName: "GoogleInternal.Read"
    resourceName: "//googleapis.com/storage/buckets/[BUCKET_NAME]/objects/foo123"
    }
  ]
 }
 logName:  "projects/[PROJECT_NAME]/logs/cloudaudit.googleapis.com%2Faccess_transparency"
 operation: {
  id:  "12345xyz"
 }
 receiveTimestamp:  "2017-12-18T16:06:37.400577736Z"
 resource: {
  labels: {
   project_id:  "1234567890"
  }
  type:  "project"
 }
 severity:  "NOTICE"
 timestamp:  "2017-12-18T16:06:24.660001Z"
}

Log field descriptions

Field Description
insertId Unique log id.
@type Access Transparency log identifier.
principalOfficeCountry ISO 3166-1 alpha-2 country code of country in which the accessor has a permanent desk, "??" if location not available, or 3-character continent identifier where Googler is in a low-population country (ASI, EUR, OCE, AFR, NAM, SAM, ANT).
principalEmployingEntity Google entity that employs the person making the access (e.g. Google, LLC).
principalPhysicalLocationCountry ISO 3166-1 alpha-2 country code of country from which access was made, "??" if location not available, or 3-character continent identifier where Googler is in a low-population country (ASI, EUR, OCE, AFR, NAM, SAM, ANT).
product Customer’s Google Cloud Product which was accessed
reason:detail Details of the reason, for example, a support ticket ID
reason:type Access reason type (for example CUSTOMER_INTIATED_SUPPORT)
accesses:methodName What type of access was made (for example, 'GoogleInternal.Read').
accesses:resourceName Name of resource that was accessed.
logName Name of the log location.
operation:id Log cluster ID.
receiveTimestamp Time the access was received by the logging pipeline.
project_id Project associated with the resource that was accessed.
type Type of resource which was accessed (for example, ‘project’).
severity Log severity.
timestamp Time the log was written

Justification Reason Codes

Reason Description
CUSTOMER_INTIATED_SUPPORT Customer-Initiated support, for example,
Case Number: ####
GOOGLE_INITIATED_SERVICE Google initiated access to perform system management and troubleshooting, which includes:
  • Backup and recovery from outages and system failures
  • Investigation to confirm that the customer is not affected by suspected service issues
  • Remediation of technical issues, such as storage failure or data corruption
THIRD_PARTY_DATA_REQUEST Google accesses customer data in order to respond to a legal request or legal process, including when we respond to legal process from the customer that requires that we access the customer's own data. Note that Access Transparency logs in this case may not be available if Google cannot legally inform you of such a request or process.
GOOGLE_INITIATED_REVIEW Google initiated access for security, fraud, abuse, or compliance purposes, including:
  • Ensuring the safety and security of customer accounts and data
  • Confirming whether data is affected by an event that may impact account security (for example, malware infections)
  • Confirming whether customer is using Google services in compliance with Google Terms of Service
  • Investigating complaints by other users and customers, or other signals of abusive activity
  • Checking that Google services are being used consistently with relevant compliance regimes (for example, anti-money laundering regulations)
Var denne side nyttig? Giv os en anmeldelse af den:

Send feedback om...

Stackdriver Logging