0

I would like to understand what can be captured in Data Access and Access Transparency Cloud Audit logs in GCP to consider it more 'risky' for users to view the logs. That is, why is it necessary to separate these logs from Admin Activity logs for example requiring the permission logging.privateLogEntries.list to view these logs?

I recognise that the callerIP can be considered personal information (in the context of GDPR) but this is identifiable from Admin Activity logs which don't require the additional permission logging.privateLogEntries.list.

I understand that Data Access logs and Access Transparency logs would list bucket names for example - is that the extent of what could be considered sensitive?

Would secrets be exposed in logs? I can't find enough detail in the GCP documentation.

karel
  • 5,489
  • 46
  • 45
  • 50
ellefc
  • 233
  • 2
  • 9
  • **Access Transparency logs record the actions taken by Google personnel** That is quite different from Audit logs which record actions taken by your IAM members. Both logs should only be accessed by **authorized** users. You must define which users have that privilege as very sensitive information is recorded such as IP addresses, email addresses, bucket names, etc. The data within those objects is not recorded, just the admin level actions and identity information (who, what, when, where). – John Hanley Sep 30 '21 at 18:43

1 Answers1

0

  • As mentioned by @John Hanley, Data Access audit logs and Access Transparency do not record the data-access operations on resources that are publicly shared (available to All Users or All Authenticated Users) or that can be accessed without logging into Google Cloud because they record the actions taken by Google personnel and staff which are private log entries.

  • Publicly available resources that have the Identity and Access Management policies allAuthenticatedUsers or allUsers don't generate audit logs. Resources that can be accessed without logging into a Google Cloud, Google Workspace, Cloud Identity, or Drive Enterprise account don't generate audit logs. This helps protect end-user identities and information.

  • The difference here is that, while Audit Logs provides logs about actions taken by members within your own organization, Access Transparency provides logs of actions taken by Google staff and includes information about: The affected resource and action which is sensitive.

  • To view these logs, you must have the Cloud IAM roles Logging/Private Logs Viewer or Project/Owner. You can set controls for who can access the Access Transparency and Data access logs by assigning a user or group the Private Logs Viewer role because very sensitive information is recorded such as IP addresses, email addresses, bucket names.

  • roles/logging.viewer (Logs Viewer) gives you read-only access to all features of Logging which include public log entries. Whereas Access Transparency logs and Data Access audit logs should have permissions like roles/logging.privateLogViewer (Private Logs Viewer) which includes roles/logging.viewer, plus the ability to read private log entries.

Note that if private log entries are routed to a user-defined bucket, then any principal with read permissions for that bucket can view the log entries.

CallerIP is the IP address of the caller. For callers from the internet, this will be a public IPv4 or IPv6 address. So this can be included in Admin Activity logs. Whereas Data Access logs and Access Transparency logs include private log entries like admin level actions and identity information (who, what, when, where).

Jyothi Kiranmayi
  • 2,090
  • 5
  • 14