Monitoring GCP audit logs provides a better understanding of who is accessing a resource, how they are doing it, and whether or not the access was permitted.
There are 3 types of audit logs.
System Event Audit Logs: Logged by default by GCP, System Event audit logs contain log entries for Google Cloud actions that modify the configuration of resources. System Event audit logs are generated by Google systems; they are not driven by direct user action.
Admin Activity Audit Logs: Logged by default by GCP, admin Activity audit logs contain log entries for API calls or other actions that modify the configuration or metadata of resources. For example, these logs record when users create VM instances or change Identity and Access Management permissions.
Data Access Audit Logs: Enabled separately per resource, Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. Data Access audit logs don’t record the data-access operations on resources that are publicly shared.
Policy Denied audit Logs: Generated by default, cloud logging records Policy Denied audit logs when a Google Cloud service denies access to a user or service account because of a security policy violation.
These logs can be forwarded through standard GCP log forwarding via pub/sub and the steps are documented here.
For more information on these, please visit Google’s documentation2 or our blog post