Cloud Audit Logs with Cloud Storage

This page provides supplemental information for using Cloud Audit Logs with Cloud Storage. Use Cloud Audit Logs to generate logs for API operations performed in Cloud Storage. To set up Cloud Audit Logs, see Configuring Data Access Logs.

Overview

Google Cloud services write audit logs to help you answer the questions, "Who did what, where, and when?" Your Cloud projects contain only the audit logs for resources that are directly within the project. Other entities, such as folders, organizations, and Cloud Billing accounts, contain the audit logs for the entity itself.

For a general overview of Cloud Audit Logs, see Cloud Audit Logs. For a deeper understanding of Cloud Audit Logs, review Understanding audit logs.

Cloud Audit Logs generates the following audit logs for operations in Cloud Storage:

Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object.
Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs:
- ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object.
- DATA_READ: Entries for operations that read an object.
- DATA_WRITE: Entries for operations that create or modify an object.

Audited operations

The following table summarizes which Cloud Storage operations correspond to each audit log type:

Log entry type	Sub-type	Operations
Admin Activity		Creating buckets Deleting buckets Setting/changing IAM policies Changing object ACLs³ Updating bucket metadata
Data Access	`ADMIN_READ`	Getting bucket metadata Getting IAM policies Getting object ACLs Listing buckets
	`DATA_READ`	Getting object data Getting object metadata Listing objects Copying/composing objects¹
	`DATA_WRITE`	Creating objects Deleting objects² Updating non-ACL object metadata² Copying/composing objects¹

¹ Copying and composing are non-atomic: they each read and write data. As a result, they generate two log entries.

² Cloud Audit Logs does not log actions taken by the Object Lifecycle Management feature. For alternatives that track these actions, see Options for tracking Lifecycle actions.

³ Admin Activity logs are not generated if/when ACLs are initially set at object creation. Additionally, if an object ACL is set to public, audit logs are not generated for reads or writes to that object or its ACL.

Audit log format

Audit log entries include the following components:

The log entry itself, which is a LogEntry object. Useful fields within a log entry include the following:
- The logName contains the project identification and audit log type.
- The resource contains the target of the audited operation.
- The timeStamp contains the time of the audited operation.
- The protoPayload contains the audited information.
The audit logging data, which is an AuditLog object held in the protoPayload field of the log entry. An AuditLog object entry contains information such as:
- The user who made the request, including the email address of that user.
- The resource name on which the request was made.
- The outcome of the request.
- Optionally, detailed request and response information. For more information, see Detailed Audit Logging mode.

For other fields in these objects, and how to interpret them, review Understanding audit logs.

Log name

The logName field indicates the Cloud project or other Google Cloud entity that owns the audit logs and whether the log entry contains Admin Activity or Data Access logging data. For example, the following shows the log names for a project's Admin Activity audit logs and its Data Access audit logs. The variable denotes the project associated with the log.

projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity
projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access

Service name

Logs pertaining to Cloud Storage operations use the service name storage.googleapis.com.

For information about all logging services, see Mapping services to resources.

Resource types

Logs pertaining to Cloud Storage are categorized under the resource type GCS bucket.

For a list of other resource types, see Monitored resource types.

Log settings

Admin Activity logs are recorded by default. These logs do not count towards your log ingestion quota.

Data Access logs pertaining to Cloud Storage operations are not recorded by default. To learn how to enable logs for data access-type operations, see Configuring Data Access Logs. Note that unlike Admin Activity logs, Data Access logs count towards your log ingestion quota and can affect your Cloud Logging charges.

Log access

The following users can view Admin Activity logs:

Project owners, editors, and viewers.
Users with the Logs Viewer IAM role.
Users with the logging.logEntries.list IAM permission.

The following users can view Data Access logs:

Project owners.
Users with the Private Logs Viewer IAM role.
Users with the logging.privateLogEntries.list IAM permission.

See Adding IAM members to a project for instructions on granting access.

Viewing logs

You can view a summary of the audit logs for your project in the Activity Stream in the Google Cloud Console. To explore other options for viewing your audit log entries, see Viewing audit logs.

Exporting logs

You can export audit logs in the same way that you export other kinds of logs. For details about how to export your logs, see Exporting logs.

Restrictions

The following restrictions apply to Cloud Audit Logs with Cloud Storage:

Cloud Audit Logs does not track access to public objects.
Cloud Audit Logs does not track changes made by the Object Lifecycle Management feature.
Data Access logs cause authenticated browser downloads to fail.

What's next

Try the Scenarios for exporting Cloud Logging tutorial.
Learn about pricing for Cloud Logging.