This chapter covers IAM audit logging and data access logs in Google Cloud, a critical topic for the ACE exam under Security Compliance (Objective 5.1). You will learn the difference between admin activity, data access, and system event audit logs, how to enable and configure them, and how to analyze them for security and compliance. Expect 5-8% of exam questions to touch on audit logs, focusing on log types, retention, and permissions needed to view them.
Jump to a section
Imagine a bank with a sophisticated security camera system. The bank has two types of cameras: one set records who enters the vault (IAM audit logs) — it captures the identity of each person, the time they entered, and whether they used a key or a manager override. The other set records every transaction at the teller windows (data access logs) — it captures every detail of each transaction: account number, amount, type, and the teller who processed it. The vault camera is always on, but only records when someone approaches the vault. The teller cameras are also always on, but they only record when a transaction occurs. The bank manager can view the vault camera footage to see who accessed the vault and why, but cannot see the teller transactions. The compliance officer can view the teller camera footage to audit transactions for fraud, but cannot see who entered the vault. The bank's security policy dictates that footage must be retained for 400 days (default), and can be extended to 10 years for compliance. If a customer complains about an unauthorized transaction, the bank can review the teller camera footage to see exactly which teller processed it and what details were entered. If a vault key is lost, the vault camera footage shows who last used it. The key point: both camera systems are independent but complementary — you need both for full security auditing. In Google Cloud, IAM audit logs are like vault cameras: they record who did what at the resource level, while data access logs are like teller cameras: they record the actual data operations on the resources. Both are part of Cloud Audit Logs, but they serve different purposes and have different retention and configuration settings.
What Are Cloud Audit Logs and Why Do They Exist?
Cloud Audit Logs are Google Cloud's built-in, immutable record of administrative and data operations within your GCP environment. They serve three primary purposes: security monitoring, compliance auditing, and operational troubleshooting. The ACE exam tests your understanding of the three audit log types: Admin Activity, Data Access, and System Event. Each type captures different categories of operations, with different retention periods and enablement defaults.
Admin Activity audit logs (formerly called Admin Activity logs) record API calls or other administrative actions that modify the configuration or metadata of resources. These are enabled by default for all GCP services and are retained for 400 days. No additional cost. Examples: creating a VM, deleting a bucket, changing IAM policies.
Data Access audit logs record API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data. These are disabled by default (except for BigQuery) because they can generate large volumes of data. You must explicitly enable them per service. They are retained for 400 days (default) but can be extended with log sinks to Cloud Storage or BigQuery. Cost: charged for log volume.
System Event audit logs record Google Cloud system events that modify resource configuration. These are enabled by default and retained for 400 days. They are not user-initiated. Example: automatic repair of a Compute Engine instance.
How Audit Logs Work Internally
When an API call is made to a GCP service, the service's backend generates audit log entries based on the type of operation. The log entries are structured as LogEntry objects in Cloud Logging. Each entry contains:
logName: identifies the log type (e.g., projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity)
protoPayload: an AuditLog object containing the method, service name, authentication info, request/response metadata, and resource info.
resource: the monitored resource being accessed (e.g., gce_instance, gcs_bucket)
timestamp: when the operation occurred
severity: NOTICE, WARNING, ERROR, etc.
The audit log entry is written after the operation completes (or fails). For Admin Activity, the entry is written regardless of success or failure. For Data Access, the entry is written only if the operation is successful (some services record failures as well).
Key Components, Values, Defaults, and Timers
Retention: 400 days for all audit logs by default. Can be extended by exporting to Cloud Storage (set bucket lifecycle rules) or BigQuery (partition tables). Cannot be shortened.
Enablement: Admin Activity and System Event are always on. Data Access must be enabled per service via the Google Cloud Console, gcloud, or API.
Permissions: To view audit logs, you need logging.logEntries.list and logging.privateLogEntries.list for Data Access logs (since they contain sensitive data). For Admin Activity, logging.logEntries.list is sufficient. The roles roles/logging.viewer and roles/logging.privateLogViewer grant these permissions.
Log sinks: You can create log sinks to route audit logs to Cloud Storage, BigQuery, Pub/Sub, or another GCP project. This is how you extend retention or analyze logs with external tools.
Exclusions: You can create log exclusion filters to prevent certain entries from being ingested into Cloud Logging. This reduces cost but can break compliance.
BigQuery Data Access logs: BigQuery is the only service where Data Access logs are enabled by default. This is because BigQuery operations are inherently data-level.
Configuration and Verification Commands
To enable Data Access audit logs for a specific service (e.g., Cloud Storage), use the gcloud command:
gcloud logging settings update --enable-data-access --service=storage.googleapis.comTo view the current audit log configuration for a project:
gcloud logging settings describeTo list audit log entries:
gcloud logging read "logName=projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity" --limit=10To create a log sink to Cloud Storage:
gcloud logging sinks create my-sink storage.googleapis.com/my-bucket --log-filter='logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"'How Audit Logs Interact with Related Technologies
Cloud Logging: Audit logs are a subset of Cloud Logging. They appear in the Logs Explorer under the appropriate log name. You can query them using Logging Query Language.
IAM: To view audit logs, you need specific IAM roles. Misconfiguring IAM can lead to inability to see logs (too restrictive) or exposure of sensitive data (too permissive).
Cloud Asset Inventory: Can show historical resource changes but does not replace audit logs for detailed API call records.
Security Command Center: Ingests audit logs to provide security findings and threat detection.
Compliance frameworks: PCI DSS, HIPAA, SOC often require Data Access logs to be enabled and retained for specific periods.
Detailed Breakdown of Audit Log Types
#### Admin Activity Audit Logs
Admin Activity logs record API calls that modify resource configuration. They are always enabled. Examples:
compute.instances.insert (creating a VM)
storage.buckets.delete (deleting a bucket)
iam.roles.create (creating a custom role)
These logs are essential for tracking who changed what and when. They are retained for 400 days. You cannot disable them.
#### Data Access Audit Logs
Data Access logs record API calls that read resource configuration or data, or that modify user data. They are disabled by default (except BigQuery). You must enable them per service. Examples:
storage.objects.get (reading an object from a bucket)
bigquery.jobs.query (running a query on a dataset)
compute.instances.get (reading VM metadata)
Because these logs can be high-volume, enabling them for all services can significantly increase logging costs. Best practice: enable only for services that require compliance auditing.
#### System Event Audit Logs
System Event logs record actions taken by Google Cloud systems, not users. They are always enabled. Example:
compute.instances.repair (automatic repair of a VM)
These logs are useful for understanding automated system behavior. They are retained for 400 days.
Log Entry Structure Example (Admin Activity)
{
"logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"serviceName": "compute.googleapis.com",
"methodName": "v1.compute.instances.insert",
"resourceName": "projects/my-project/zones/us-central1-a/instances/my-vm",
"authenticationInfo": {
"principalEmail": "admin@example.com"
},
"request": {
"name": "my-vm",
"zone": "us-central1-a"
},
"response": {
"id": "123456"
}
},
"resource": {
"type": "gce_instance",
"labels": {
"project_id": "my-project",
"zone": "us-central1-a",
"instance_id": "123456"
}
},
"timestamp": "2023-01-01T00:00:00Z",
"severity": "NOTICE"
}Common Exam Scenarios
Enabling Data Access logs for a specific service: Use gcloud logging settings update --enable-data-access --service=... or the Console.
Retention requirements: The exam might ask how to retain logs beyond 400 days — the answer is to export to Cloud Storage or BigQuery.
Permissions needed: Distinguish between roles/logging.viewer (can see Admin Activity) and roles/logging.privateLogViewer (can see Data Access).
Log exclusions: Creating an exclusion filter can prevent certain Data Access logs from being stored, which might be a compliance violation.
BigQuery exception: Remember that BigQuery Data Access logs are enabled by default.
Step-by-Step: Enabling Data Access Logs for Cloud Storage
Identify the service: storage.googleapis.com
Use gcloud: gcloud logging settings update --enable-data-access --service=storage.googleapis.com
Verify: gcloud logging settings describe looks for storage.googleapis.com with dataAccessEnabled: true
Optionally, create a log sink to export the logs for long-term retention.
Best Practices
Enable Data Access logs only for services that require compliance (e.g., storage buckets containing PII).
Use log exclusions to filter out noise (e.g., health checks) but be careful not to exclude compliance-relevant events.
Monitor log volume and costs using Cloud Monitoring and Billing reports.
Regularly review audit logs for suspicious activity using Security Command Center or custom queries.
Use VPC Service Controls to prevent exfiltration of audit logs.
Identify Audit Log Requirements
Start by determining which audit log types are needed based on compliance and security policies. Admin Activity logs are always on and sufficient for tracking configuration changes. If you need to track data reads or modifications (e.g., for PCI DSS), you must enable Data Access logs for specific services. Document which services (Cloud Storage, BigQuery, Compute Engine) require Data Access logging. Also determine retention requirements: 400 days default, but if longer is needed, plan for log exports to Cloud Storage or BigQuery.
Enable Data Access Logs
Use the Google Cloud Console, gcloud CLI, or REST API to enable Data Access logs per service. For example, to enable for Cloud Storage: `gcloud logging settings update --enable-data-access --service=storage.googleapis.com`. You can enable for multiple services by repeating the command. You can also set the default for all services using `--enable-data-access` without specifying a service, but this is not recommended due to cost. Verify the setting with `gcloud logging settings describe`.
Configure Log Exclusions (Optional)
To reduce volume and cost, create log exclusion filters to exclude certain log entries from being ingested. For example, exclude health check requests: `NOT resource.type="k8s_container" AND protoPayload.methodName="storage.objects.get" AND protoPayload.resourceName="projects/_/buckets/healthcheck-bucket/objects/*"`. Exclusions apply to all log sinks and the Logs Explorer. Be careful not to exclude compliance-critical events. Exclusions are created using the Console, gcloud, or Logging API.
Create Log Sinks for Long-Term Retention
If you need to retain audit logs beyond 400 days, create log sinks to export logs to Cloud Storage (for archival) or BigQuery (for analysis). Use a filter to include only the desired log types. Example: `gcloud logging sinks create my-sink storage.googleapis.com/my-bucket --log-filter='logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"'`. Set bucket lifecycle rules to delete objects after the required retention period (e.g., 7 years). Sinks can also route to Pub/Sub for real-time streaming.
Assign IAM Permissions for Log Access
Grant the principle of least privilege. For users who need to view Admin Activity logs, assign `roles/logging.viewer` (or `logging.logEntries.list`). For Data Access logs (which contain sensitive data), assign `roles/logging.privateLogViewer` (which includes `logging.privateLogEntries.list`). Do not grant these roles to users who do not need them. Also consider custom roles for more granular control. Remember that Data Access logs require the `privateLogEntries` permission.
Monitor and Analyze Audit Logs
Use the Logs Explorer to query audit logs. Create custom queries for specific methods or users. Set up alerts based on log entries (e.g., when a bucket is made public). Use Security Command Center for automated threat detection. Regularly review logs for anomalies. For compliance, generate reports from exported logs in BigQuery. Monitor log volume and costs; if Data Access logs are too expensive, refine exclusions or disable for non-critical services.
Enterprise Scenario 1: Healthcare Compliance (HIPAA)
A healthcare provider stores patient health information (PHI) in Cloud Storage buckets. To comply with HIPAA, they must log every access to the data (read and write) for at least 6 years. They enable Data Access logs for storage.googleapis.com and create a log sink to a Cloud Storage bucket with a lifecycle rule to delete objects after 7 years. They also create a BigQuery sink for analysis. They assign roles/logging.privateLogViewer only to the compliance team. They use log exclusions to filter out internal health check requests to reduce volume by 30%. They set up alerts in Security Command Center for any access from unexpected IPs. The challenge: log volume is high (millions of entries per day), so they partition BigQuery tables by date and use clustering on principalEmail to speed up queries.
Enterprise Scenario 2: Financial Services (PCI DSS)
A fintech company processes credit card transactions. PCI DSS requires logging all access to cardholder data. They enable Data Access logs for BigQuery (already on by default) and Cloud Storage. They also enable for Compute Engine to track VM access. They create a log sink to a centralized project's BigQuery dataset for cross-project analysis. They use VPC Service Controls to prevent exfiltration of logs. The security team uses custom dashboards in Looker to monitor for suspicious patterns. A common misconfiguration: they initially forgot to enable Data Access logs for Cloud Storage, missing compliance requirements. After a breach simulation, they realized the gap and enabled it. They also learned that setting an exclusion filter incorrectly can exclude critical events, so they now review exclusions with the compliance officer.
Enterprise Scenario 3: Multi-Tenant SaaS Platform
A SaaS company hosts multiple customer environments in separate GCP projects. They enable Admin Activity logs by default for all projects. For customers with compliance requirements, they enable Data Access logs per project. They use log sinks to aggregate all audit logs into a single BigQuery dataset in a central logging project. They use IAM conditions to restrict log access to specific project prefixes. They also use the gcloud logging settings update command via Infrastructure as Code (Terraform) to enable Data Access logs for new projects automatically. Performance consideration: with 100+ projects, the aggregated BigQuery dataset grows by 500 GB per month. They use partition expiration and clustering to manage costs. A common failure: when a new service is added (e.g., Cloud SQL), they forget to enable Data Access logs, leading to a compliance gap. They now have a CI/CD pipeline that checks for enabled audit logs on all services.
The ACE exam tests IAM audit logging under Objective 5.1 (Security Compliance). Expect 2-4 questions on this topic. Key areas:
Log Types and Defaults: Know that Admin Activity and System Event logs are always on; Data Access logs are off by default except for BigQuery. Memorize the retention period: 400 days. The exam may ask: 'Which audit log type is enabled by default for all services?' Answer: Admin Activity and System Event. A common wrong answer is 'Data Access' — candidates confuse the default state.
Permissions: The exam tests the difference between roles/logging.viewer and roles/logging.privateLogViewer. A question might say: 'A security analyst needs to view Data Access logs. What is the minimum role?' The correct answer is roles/logging.privateLogViewer. A trap: roles/logging.viewer only gives access to Admin Activity and System Event logs. Another trap: roles/logging.logWriter — that role is for writing logs, not reading.
Enabling Data Access Logs: You may be asked how to enable Data Access logs for a specific service. The correct gcloud command is gcloud logging settings update --enable-data-access --service=.... A wrong answer might include --enable-data-access without the service flag (enables for all) or using gcloud services enable (which is for APIs, not logging).
Log Exclusions and Sinks: The exam may ask about reducing log volume. Creating a log exclusion filter is the correct answer. A common wrong answer is disabling the audit log type — but Admin Activity cannot be disabled. Another trap: using a log sink filter to exclude entries — sinks filter what is exported, but the entries are still ingested into Cloud Logging and count toward cost. Exclusions prevent ingestion entirely.
BigQuery Exception: Remember that BigQuery Data Access logs are enabled by default. A question might say: 'Which service has Data Access logs enabled by default?' Answer: BigQuery. Candidates often forget this exception.
Retention Extension: To retain logs beyond 400 days, export to Cloud Storage or BigQuery. The exam may ask: 'How can you retain audit logs for 7 years?' Answer: Create a log sink to Cloud Storage with a lifecycle rule. A wrong answer: 'Increase the retention period in the logging settings' — but the maximum is 400 days.
Edge Cases: If a log sink is deleted, the logs already in the destination remain, but new logs are not exported. If an exclusion filter is created, logs matching the filter are not ingested at all — they are permanently lost. The exam may test that you cannot recover excluded logs.
How to Eliminate Wrong Answers: Focus on the mechanism. If the question is about viewing logs, check if Data Access is involved — that requires privateLogViewer. If the question is about enabling, remember the --service flag. If the question is about retention, think sinks. If the question is about default, recall that Admin Activity is always on. This systematic elimination works.
Admin Activity and System Event audit logs are always enabled and cannot be disabled.
Data Access audit logs are disabled by default except for BigQuery.
Default retention for all audit logs is 400 days; extend via log sinks to Cloud Storage or BigQuery.
To view Data Access logs, you need roles/logging.privateLogViewer (or logging.privateLogEntries.list permission).
Log exclusions prevent ingestion of matching log entries entirely, reducing cost but risking compliance.
BigQuery is the only service with Data Access logs enabled by default.
Use gcloud logging settings update --enable-data-access --service=SERVICE to enable Data Access logs per service.
These come up on the exam all the time. Here's how to tell them apart.
Admin Activity Audit Logs
Enabled by default for all services
Records configuration-modifying API calls (e.g., create, delete, update)
Lower volume, lower cost
Retained for 400 days
Accessible with roles/logging.viewer
Data Access Audit Logs
Disabled by default (except BigQuery)
Records data-reading and data-modifying API calls (e.g., get, list, query)
Higher volume, higher cost
Retained for 400 days (default), can be extended via sinks
Accessible with roles/logging.privateLogViewer
Mistake
Data Access logs are enabled by default for all Google Cloud services.
Correct
Data Access logs are disabled by default for all services except BigQuery. You must explicitly enable them per service using gcloud, Console, or API.
Mistake
Admin Activity logs can be disabled to reduce costs.
Correct
Admin Activity logs are always enabled and cannot be disabled. They are free and retained for 400 days. You can only exclude them from ingestion using log exclusions, but that removes them entirely.
Mistake
Log sinks extend the retention period of logs in Cloud Logging.
Correct
Log sinks copy logs to a destination (Cloud Storage, BigQuery, etc.) but do not change the retention period in Cloud Logging. Logs in Cloud Logging are still deleted after 400 days. The copy in the destination persists according to your lifecycle rules.
Mistake
The roles/logging.viewer role provides access to Data Access audit logs.
Correct
roles/logging.viewer only provides access to Admin Activity and System Event logs. To view Data Access logs, you need roles/logging.privateLogViewer, which includes the logging.privateLogEntries.list permission.
Mistake
Log exclusion filters reduce the volume of logs exported to sinks only.
Correct
Log exclusion filters prevent matching log entries from being ingested into Cloud Logging at all. They are not exported to any sink and are permanently lost. This reduces both storage cost and sink volume.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the gcloud command: `gcloud logging settings update --enable-data-access --service=storage.googleapis.com`. You can also enable via the Google Cloud Console under Logging > Logs Router > Project Settings. Verify with `gcloud logging settings describe`.
roles/logging.viewer grants logging.logEntries.list, which allows viewing Admin Activity and System Event logs. roles/logging.privateLogViewer adds logging.privateLogEntries.list, which is required to view Data Access logs (which contain sensitive data). Always use privateLogViewer for Data Access.
Yes, by creating a log sink to export logs to Cloud Storage or BigQuery. In Cloud Storage, set a lifecycle rule to keep objects for the desired period (e.g., 7 years). The logs in Cloud Logging are still deleted after 400 days, but the exported copy persists.
Data Access logs can generate very high volumes (every read API call), leading to significant storage costs. Google disables them by default to prevent unexpected bills. You enable them only for services that require compliance auditing.
Deleting a log sink stops future log exports. Logs that were already exported to the destination remain. Logs that were not yet exported are lost (they are not retroactively exported). To avoid gaps, create a new sink before deleting the old one.
Yes, you can create log exclusion filters. For example, exclude health check requests by filtering on resource type or method. However, be careful not to exclude compliance-relevant events. Exclusions apply before ingestion, so excluded logs are permanently lost.
Use the Logs Explorer with a filter like `resource.type="gcs_bucket" AND resource.labels.bucket_name="my-bucket"`. You can also filter by logName for Admin Activity (`cloudaudit.googleapis.com/activity`) or Data Access (`cloudaudit.googleapis.com/data_access`).
You've just covered IAM Audit Logging and Data Access Logs — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?