Back to Details

gcp-audit-logs

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GCP Audit Logs

GCP Audit Logs

Audit GCP activity with Cloud Audit Logs.
使用Cloud Audit Logs审计GCP活动。

Audit Log Types

审计日志类型

yaml
log_types:
  admin_activity:
    - Always enabled
    - API calls that modify resources
    - No charge
    
  data_access:
    - Must be enabled
    - Read/write data operations
    - Can be high volume
    
  system_event:
    - Always enabled
    - GCP system actions
    
  policy_denied:
    - Always enabled
    - Access denials
yaml
log_types:
  admin_activity:
    - Always enabled
    - API calls that modify resources
    - No charge
    
  data_access:
    - Must be enabled
    - Read/write data operations
    - Can be high volume
    
  system_event:
    - Always enabled
    - GCP system actions
    
  policy_denied:
    - Always enabled
    - Access denials

Enable Data Access Logs

启用数据访问日志

bash
undefined
bash
undefined

Enable for all services

Enable for all services

gcloud logging sinks create audit-sink
storage.googleapis.com/audit-logs-bucket
--log-filter='logName:"cloudaudit.googleapis.com"'
gcloud logging sinks create audit-sink
storage.googleapis.com/audit-logs-bucket
--log-filter='logName:"cloudaudit.googleapis.com"'

IAM policy for data access logs

IAM policy for data access logs

gcloud projects get-iam-policy PROJECT_ID > policy.yaml
gcloud projects get-iam-policy PROJECT_ID > policy.yaml

Add auditConfigs section

Add auditConfigs section

gcloud projects set-iam-policy PROJECT_ID policy.yaml
undefined
gcloud projects set-iam-policy PROJECT_ID policy.yaml
undefined

BigQuery Analysis

BigQuery分析

sql
-- Query audit logs from BigQuery export
SELECT
  timestamp,
  protopayload_auditlog.authenticationInfo.principalEmail,
  protopayload_auditlog.methodName,
  resource.labels.project_id
FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY)
  AND protopayload_auditlog.methodName LIKE '%delete%'
ORDER BY timestamp DESC
sql
-- Query audit logs from BigQuery export
SELECT
  timestamp,
  protopayload_auditlog.authenticationInfo.principalEmail,
  protopayload_auditlog.methodName,
  resource.labels.project_id
FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY)
  AND protopayload_auditlog.methodName LIKE '%delete%'
ORDER BY timestamp DESC

Best Practices

最佳实践

  • Export to BigQuery for analysis
  • Configure log retention
  • Enable data access logs for sensitive resources
  • Set up alerting policies
  • 导出至BigQuery进行分析
  • 配置日志保留策略
  • 为敏感资源启用数据访问日志
  • 设置告警策略