Disabling Cloud Logging

Overview

This guide explains how to set a constraint (constraints/gcp.disableCloudLogging) that disables Cloud Logging at the level of an organization, a project, or a folder. The constraint does not affect Cloud Audit Logs. Logs that are generated before the constraint takes effect are not deleted and can be accessed after the constraint takes effect.

The constraint is only supported in the Cloud Healthcare API.

Disabling Cloud Logging

To disable Cloud Logging, you must have the Organization Administrator (roles/resourcemanager.organizationAdmin) role. This role can only be granted at the Organization level. You must have the Organization Policy Administrator (roles/orgpolicy.policyAdminrole) to set or change organization policies.

Console

To disable Cloud Logging:

  1. Sign in to the Google Cloud Console as a G Suite or Cloud Identity super administrator and go to the Organization policies page:

    Go to the Organization policies page

  2. Click Select, and then select the project, folder, or organization for which you want to view organization policies. The Organization policies page displays a list of organization policy constraints that are available.

  3. In the list of policies that appears, click Disable Cloud Logging. The Disable Cloud Logging policy uses the constraints/gcp.disableCloudLogging ID. The Policy details page that appears describes the constraint and provides information about how the constraint is currently applied.

  4. To customize the organization policy, click Edit.

  5. On the Edit page, select Customize.

  6. Under Enforcement, select an enforcement option:

    • To enable the constraint and disable Cloud Logging, select On.
    • To disable the constraint and enable Cloud Logging, select Off.
  7. Click Save.

gcloud

  1. Get the current policy on the organization resource using the describe command:

    gcloud beta resource-manager org-policies describe \
      constraints/gcp.disableCloudLogging --organization ORGANIZATION_ID
    

    Where ORGANIZATION_ID is the unique identifier for the organization resource. You can also apply the organization policy to a folder or a project with the --folder or the --project flags, and the folder ID and project ID, respectively.

    Because a policy isn't set, an incomplete policy is returned, like the following example:

    booleanPolicy: {}
    constraint: "constraints/gcp.disableCloudLogging"
    
  2. Set the policy to enforce on the organization using the enable-enforce command:

    gcloud beta resource-manager org-policies enable-enforce \
      constraints/gcp.disableCloudLogging --organization ORGANIZATION_ID
    

    After running the command, the following output displays:

    booleanPolicy:
      enforced: true
    constraint: constraints/gcp.disableCloudLogging
    etag: BwVJitxdiwY=
    
  3. View the current effective policy using describe --effective:

    gcloud beta resource-manager org-policies describe \
      constraints/gcp.disableCloudLogging --effective \
      --organization ORGANIZATION_ID
    

    After running the command, the following output displays:

    booleanPolicy:
      enforced: true
    constraint: constraints/gcp.disableCloudLogging
    

What's next

See Using constraints for more information on creating an organization policy with a particular constraint.