Cloud Audit Logs

Overview

Cloud Audit Logs = “who did what, where, when” across org/folder/project.

Types: Admin Activity, System Event, Data Access, Policy Denied.

Default retention: Admin/System = 400 days (free), Data Access = 30 days (when enabled), Policy Denied = on by default, storage billed.

Logs Explorer에서 cloudaudit 로 빠르게 필터. Access Transparency = human Googler access logs (별개).

Type	Captures	Default	Retention	Cost	View IAM
Admin Activity	Config/metadata writes (ex: create VM, change IAM)	Always on	400 days	Free	`roles/logging.viewer` or Project Viewer
System Event	Google-managed admin changes (system-initiated)	Always on	400 days	Free	`roles/logging.viewer` or Project Viewer
Data Access	Reads of config/metadata (admin-read) + reads/writes of user data	Off by default (except BigQuery)	30 days (default when enabled)	Ingestion billed (~$0.50/GB)	`roles/logging.privateLogViewer` (or Project Owner)
Policy Denied	When access is denied by policy	On by default	Project lifecycle	Storage billed	`roles/logging.viewer`

Go to Logs Explorer → Log name: type cloudaudit (스크롤보다 빠름).
Quick names:
- Activity: cloudaudit.googleapis.com/activity
- Data Access: cloudaudit.googleapis.com/data_access
- System: cloudaudit.googleapis.com/system_event
- Policy: cloudaudit.googleapis.com/policy

Tip: 특정 리소스/메서드 예시

resource.type="gce_instance"
protoPayload.serviceName="compute.googleapis.com"
protoPayload.methodName="v1.compute.instances.insert"

AT: records human Google 직원의 고객 데이터 접근. Near-real-time, surfaced via Cloud Logging / APIs / SCC. Enterprise 지원 SKU 필요.
Cloud Audit Logs: records your org members & systems actions on your GCP resources.
결론: 서로 보완적. (AT는 “Google touched my data?”, CAL은 “우리 사람이 뭘 했나?”)

Enable levels: Org / Folder / Project / (Service) / Billing Account.

최종 설정은 union(상위에서 켠 건 하위에서 끌 수 없음).
Types you can choose (세분화):
- ADMIN_READ: read metadata/config (ex: view bucket config)
- DATA_READ: read user data (ex: list/download GCS objects)
- DATA_WRITE: write user data (ex: create object)