- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
It is recommended that Cloud Audit Logging is configured to track all admin activities and read or write access to user data.
Admin Activity logs are always enabled. They cannot be disabled. Data Access audit logs are disabled by default because they can be quite large.
Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access.
Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. Admin Activity audit logs are enabled for all services and cannot be configured.
Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.
There are three kinds of Data Access audit log information:
It is recommended to configure audit logging such that:
DATA_READ
(to log user activity tracking) and DATA_WRITES
(to
log changes/tampering to user data).There is no charge for Admin Activity audit logs. Enabling the Data Access audit logs might result in your project being charged for the additional logs usage.
exemptedMembers
is not set, as audit logging should be enabled for all users.gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If you are setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID >
/tmp/folder_policy.yaml
Edit the policy in /tmp/policy.yaml
. Adding or change only the audit logs
configuration to:
auditConfigs:
- auditLogConfigs:
- logType: DATA_WRITE
- logType: DATA_READ
- service: allServices
To write new IAM policy, run the following commands:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID
/tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml
If the preceding command reports a conflict with another change, then repeat these steps, starting with the first step.
DATA_READ
is as important as the log type DATA_WRITE
.