This chapter covers Google Cloud's audit logging and compliance capabilities, a critical topic for the Google Cloud Digital Leader (GCDL) exam. You will learn about the types of audit logs, retention policies, export options, and how they support compliance frameworks like SOC, PCI DSS, and HIPAA. Approximately 10-15% of exam questions touch on logging, monitoring, and compliance, making this a high-yield area. Mastery of this content ensures you can advise on governance, risk management, and operational visibility in Google Cloud.
Jump to a section
A bank's surveillance system consists of multiple cameras recording every teller transaction, vault access, and ATM interaction. Each camera records continuously, but only specific events (e.g., alarm triggers, after-hours access) are flagged and reviewed. The bank's compliance officer configures which cameras to keep footage from, for how long (e.g., 30 days for teller areas, 90 days for vault), and who can view the footage. When an incident occurs, the officer can replay the exact sequence of events. Similarly, Google Cloud Audit Logs record every API call and administrative action. There are three categories: Admin Activity logs (always-on, no cost, 400-day retention), Data Access logs (opt-in, chargeable, configurable retention), and System Event logs (always-on, no cost, 400-day retention). Just as the bank can't retroactively recover footage not recorded, Cloud Audit Logs cannot capture actions before logging was enabled for Data Access. The compliance officer uses a log viewer (Cloud Logging) to search, filter, and export logs to Cloud Storage for long-term archival. The analogy breaks down if you think logs capture network packets—they capture administrative actions and data access, not raw traffic.
What Are Cloud Audit Logs?
Cloud Audit Logs are a feature of Google Cloud that records administrative activities, data access, and system events within your cloud resources. They are essential for security, compliance, and operational troubleshooting. The GCDL exam expects you to understand the three types of audit logs, their differences, retention, and how to export them.
Types of Audit Logs
Google Cloud provides three categories of audit logs:
Admin Activity Logs: Record all API calls that modify the configuration or metadata of resources. These are always enabled at no charge and retained for 400 days. Examples: creating a VM, changing IAM permissions, deleting a Cloud Storage bucket.
Data Access Logs: Record API calls that read the data of resources or access user-provided data. These are opt-in and incur additional costs. They are retained for 30 days by default but can be extended via export. Examples: reading a file from Cloud Storage, querying a BigQuery table, listing objects in a bucket.
System Event Logs: Record non-human-initiated actions that modify a resource's configuration, such as automatic scaling or maintenance events. They are always enabled at no charge and retained for 400 days.
How Audit Logs Work Internally
When an API call is made, Google Cloud's infrastructure intercepts it and writes a log entry to a dedicated _Required and _Default log bucket. The log entry includes:
- protoPayload: The request and response details.
- resource: The resource being accessed (e.g., project, bucket).
- timestamp: When the call occurred (microsecond precision).
- authenticationInfo: The principal (user or service account) making the call.
- authorizationInfo: Whether the call was granted or denied, and the IAM role used.
Each log entry is immutable and stored in Cloud Logging's internal storage. You cannot delete individual entries; you control retention via log bucket settings. The default retention for the _Default bucket is 30 days, but you can configure it up to 3650 days (10 years) for exported logs.
Log Export and Retention
To retain logs beyond the default periods or to analyze them with external tools, you must export logs to Cloud Storage, BigQuery, or Pub/Sub. Exports are configured using log sinks. A log sink filters logs based on inclusion filters and routes them to a destination. For example:
gcloud logging sinks create my-sink storage.googleapis.com/my-bucket \
--log-filter='logName="projects/my-project/logs/cloudaudit.googleapis.com%2Factivity"'This creates a sink that exports all Admin Activity logs to a Cloud Storage bucket. Logs are exported in JSON format (or CSV if configured). For BigQuery, logs are streamed into a partitioned table.
Retention for exported logs is independent of Cloud Logging's retention. You can set lifecycle policies on Cloud Storage buckets to delete logs after a specific period (e.g., 7 years for compliance).
Compliance Frameworks
Google Cloud's audit logs help meet requirements for: - SOC 1/2/3: Logging of access and changes to systems. - PCI DSS: Requirement 10 states that all access to cardholder data must be logged and logs retained for at least one year. - HIPAA: Audit controls must record and examine activity in information systems. - FedRAMP: Logging of administrative and data access.
The exam may ask which log type satisfies a specific compliance requirement. For example, PCI DSS requires logging of all access to cardholder data, which maps to Data Access logs.
Viewing and Searching Logs
You can view logs in the Cloud Console under Logging > Logs Explorer. Use filters like:
resource.type="gce_instance"
severity>=ERROR
logName="projects/my-project/logs/cloudaudit.googleapis.com%2Factivity"For programmatic access, use the Cloud Logging API or gcloud logging read.
Integration with Other Services
Cloud Monitoring: Create metrics based on log entries (e.g., count of failed login attempts).
Cloud Pub/Sub: Stream logs to external SIEM systems like Splunk or ArcSight.
Cloud Security Command Center: Audit logs feed into SCC for anomaly detection.
Access Transparency: Provides logs when Google engineers access your data, adding another layer of audit for compliance.
Cost Considerations
Admin Activity and System Event logs: Free of charge.
Data Access logs: Charged based on volume ingested. Pricing is per GiB ingested into Cloud Logging (approximately $0.50 per GiB, subject to change).
Exporting logs: Incur standard storage costs for Cloud Storage, BigQuery, or Pub/Sub.
Exam Trap: Log Type Confusion
The most common wrong answer on the exam is confusing Admin Activity logs with Data Access logs. Remember: Admin Activity logs record *configuration changes* (metadata modifications), while Data Access logs record *data reads* (actual data access). For example, deleting a bucket is Admin Activity; reading a file from that bucket is Data Access. System Event logs are a third category often forgotten.
Default Values and Timers
Admin Activity retention: 400 days (cannot be changed).
Data Access retention: 30 days default in _Default bucket; can be extended via export.
System Event retention: 400 days.
Log export can be near real-time (typically within minutes).
Logs are written to Cloud Logging within seconds of the API call.
Configuration Verification
To check current audit log configuration:
gcloud logging buckets describe _Default --location=globalTo list log sinks:
gcloud logging sinks listInteraction with IAM
To view audit logs, you need logging.logViews.list and logging.logEntries.list permissions. To export logs, you need logging.sinks.create and appropriate permissions on the destination. The exam may test that the Logs Viewer role (roles/logging.viewer) allows reading logs but not exporting them.
Enable Data Access Logs
By default, Data Access logs are disabled. To enable them, you must explicitly turn them on per service or for the entire organization. You can do this via the Cloud Console under Logging > Logs Router, or using the `gcloud logging` command. For example, to enable audit logs for BigQuery: `gcloud logging settings update --enable-data-access --service=bigquery`. This step is critical because without enabling, no Data Access logs will be generated, leaving you blind to unauthorized data reads. The exam often tests that Data Access logs are opt-in and incur costs.
API Call Intercepted
When a user or service account makes an API call (e.g., `gcloud storage cp` to download a file), Google Cloud's infrastructure intercepts the request at the API frontend. The frontend checks authentication and authorization. If the call is permitted, it proceeds; if denied, it still logs the attempt. The audit log entry is created at this point, including the caller's identity, the resource, and the action. The log is written to the Cloud Logging backend within seconds.
Log Entry Written to Bucket
The log entry is routed to the appropriate log bucket based on its type. Admin Activity logs go to the `_Required` bucket (retention 400 days). Data Access logs go to the `_Default` bucket (retention 30 days). System Event logs also go to `_Required`. Each bucket has a retention period; after that, logs are automatically deleted. You cannot recover logs after deletion unless they were exported. The exam may ask the default retention for each type.
Log Sink Filters and Exports
If you have configured a log sink with an inclusion filter, the log entry is evaluated against the filter. If it matches, the entry is forwarded to the destination (Cloud Storage, BigQuery, or Pub/Sub). This happens asynchronously but typically within minutes. Sinks can also exclude certain logs using exclusion filters. For compliance, you might export all Admin Activity logs to a Cloud Storage bucket with a 7-year retention policy. The exam might test that sinks can be created at the project, folder, or organization level.
Log Entry Stored and Accessible
Once in the destination, logs are stored as objects (Cloud Storage), rows (BigQuery), or messages (Pub/Sub). In Cloud Storage, each log entry is a separate object in JSON format. In BigQuery, logs are streamed into a table partitioned by day. You can query logs using SQL in BigQuery or using the Logs Explorer. The exam may ask about querying BigQuery for compliance reports. For example, to find all delete operations in the last 30 days: `SELECT * FROM my_dataset.cloudaudit_googleapis_com_activity WHERE protoPayload.methodName LIKE '%delete%'`.
Enterprise Scenario 1: PCI DSS Compliance for E-commerce Platform
A large e-commerce company processes credit card transactions on Google Cloud. PCI DSS Requirement 10 mandates that all access to cardholder data is logged and logs are retained for at least one year. The company enables Data Access logs for all services interacting with cardholder data (e.g., Cloud SQL, BigQuery). They create a log sink that exports all Admin Activity and Data Access logs to a Cloud Storage bucket with a lifecycle policy that deletes logs after 400 days (to exceed the 1-year requirement). They also set up a Pub/Sub sink to stream logs to a SIEM for real-time monitoring. A common misconfiguration is forgetting to enable Data Access logs for specific services, leading to gaps in audit coverage. The company also uses Access Transparency logs to track Google engineer access to their data, which is required for PCI DSS 3.2.1.
Enterprise Scenario 2: HIPAA Compliance for Healthcare SaaS
A healthcare SaaS provider stores Protected Health Information (PHI) in Cloud Storage and BigQuery. HIPAA requires audit controls that record and examine activity. They enable Data Access logs for Cloud Storage and BigQuery, and export all logs to BigQuery for long-term retention and analysis. They set up log-based metrics to alert on suspicious activity, such as bulk exports of PHI. The challenge is managing costs: Data Access logs can generate terabytes of logs per day. They use exclusion filters to drop logs from non-sensitive buckets, reducing volume by 70%. They also use the _Required bucket's 400-day retention for Admin Activity logs to meet HIPAA's record retention requirements. A common mistake is not enabling Data Access logs for all services that touch PHI, such as Cloud Healthcare API.
Scenario 3: SOC 2 Type II Audit for SaaS Startup
A startup preparing for a SOC 2 audit needs to demonstrate that they monitor and log administrative activities. They enable Admin Activity logs (free) and export them to a BigQuery dataset. They create a dashboard in Looker that shows all IAM role changes, resource deletions, and firewall modifications. The auditor reviews these logs to verify that changes are authorized and logged. The startup also uses Cloud Logging's log views to restrict access to logs based on team roles. A common pitfall is relying solely on default retention (30 days for Data Access) without export, causing logs to be unavailable during the audit window (typically 6-12 months). They configure sink exports with 1-year retention to avoid this.
What the GCDL Exam Tests
Objective 2.5 covers 'Cloud Audit Logging and Compliance' under the Infrastructure domain. The exam expects you to:
Distinguish between Admin Activity, Data Access, and System Event logs.
Know default retention periods: Admin Activity and System Event: 400 days; Data Access: 30 days.
Understand that Data Access logs are opt-in and incur costs.
Know how to export logs using sinks to Cloud Storage, BigQuery, or Pub/Sub.
Recognize that logs can be viewed in Cloud Logging and queried in BigQuery.
Identify compliance use cases: PCI DSS, HIPAA, SOC.
Common Wrong Answers and Why
'Data Access logs are enabled by default.' This is false. Admin Activity and System Event logs are always on; Data Access logs must be explicitly enabled. Candidates confuse 'always on' with 'opt-in.'
'Admin Activity logs are retained for 30 days.' The correct retention is 400 days. The exam may present 30 days as a distractor because that's the default for Data Access logs.
'System Event logs record user actions.' They record system-initiated actions, not user actions. Candidates may think they are the same as Admin Activity.
'You can delete individual log entries.' Logs are immutable; you cannot delete single entries. You control retention via bucket settings.
Specific Numbers and Terms
Retention: 400 days for Admin Activity and System Event; 30 days for Data Access.
Log types: cloudaudit.googleapis.com/activity, cloudaudit.googleapis.com/data_access, cloudaudit.googleapis.com/system_event.
Sink: A log router configuration that exports logs.
Inclusion filter: Determines which logs are exported.
Exclusion filter: Excludes logs from being ingested into Cloud Logging (cost savings).
Edge Cases and Exceptions
If you export logs to Cloud Storage, the log's retention is independent of Cloud Logging's retention. You can keep exported logs indefinitely.
Data Access logs for BigQuery are enabled by default? Trick: Actually, BigQuery has its own audit logs that are enabled by default, but they are separate from Cloud Audit Logs' Data Access logs. The exam may test this nuance.
Logs are written in near real-time but may have a delay of up to several minutes for high-traffic projects.
How to Eliminate Wrong Answers
Read the question carefully: Does it say 'administrative actions'? Then Admin Activity. 'Data reads'? Then Data Access. 'Automatic scaling'? Then System Event.
If cost is mentioned, think Data Access logs (they are chargeable).
If retention longer than 400 days is needed, think export.
If the question asks about 'always on' and 'free', it's Admin Activity or System Event.
Admin Activity and System Event logs are always on, free, and retained for 400 days.
Data Access logs are opt-in, chargeable, and have a default retention of 30 days.
Logs are immutable; you cannot delete individual entries.
Export logs using sinks to Cloud Storage, BigQuery, or Pub/Sub for long-term retention or analysis.
Log sinks can have inclusion and exclusion filters to control what is exported.
Compliance frameworks like PCI DSS, HIPAA, and SOC require audit logging; know which log type satisfies which requirement.
The Logs Explorer in Cloud Logging allows viewing and searching logs; Logs Viewer role grants read access.
These come up on the exam all the time. Here's how to tell them apart.
Admin Activity Logs
Records API calls that modify resource configuration (e.g., create, delete, update).
Always enabled at no charge.
Retained for 400 days.
Example: Creating a Cloud Storage bucket.
Cannot be disabled.
Data Access Logs
Records API calls that read resource data (e.g., get, list).
Opt-in; incurs additional cost based on volume.
Default retention 30 days (can be extended via export).
Example: Downloading a file from a Cloud Storage bucket.
Must be explicitly enabled per service or organization.
Mistake
Data Access logs are enabled by default for all services.
Correct
Data Access logs are opt-in. Only Admin Activity and System Event logs are always enabled. You must explicitly enable Data Access logs per service or organization-wide.
Mistake
Admin Activity logs are retained for 30 days.
Correct
Admin Activity logs are retained for 400 days by default. The 30-day retention applies only to Data Access logs in the _Default bucket.
Mistake
You can delete individual audit log entries using the Cloud Console.
Correct
Audit log entries are immutable. You cannot delete individual entries. You can only set retention periods on log buckets to automatically delete logs after a certain time.
Mistake
System Event logs record user-initiated actions like creating a VM.
Correct
System Event logs record Google Cloud system actions, such as automatic scaling or maintenance events. User-initiated actions are recorded in Admin Activity logs.
Mistake
Exporting logs to Cloud Storage automatically extends retention beyond 400 days.
Correct
Exporting logs copies them to Cloud Storage. The retention in Cloud Storage is independent and controlled by lifecycle policies. You must set the lifecycle policy to retain logs longer than 400 days.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Admin Activity, Data Access, and System Event logs. Admin Activity logs record configuration changes, Data Access logs record data reads, and System Event logs record Google-initiated actions. All three are part of Cloud Audit Logs.
Admin Activity and System Event logs are retained for 400 days. Data Access logs are retained for 30 days in the _Default bucket. You can export logs to extend retention.
Yes, you can export logs to Pub/Sub, which can then be consumed by external SIEM systems like Splunk or ArcSight. Create a log sink with a Pub/Sub destination.
You can enable Data Access logs via the Cloud Console under Logging > Logs Router, or using the gcloud command: `gcloud logging settings update --enable-data-access --service=<service>`. You can enable for all services or specific ones.
A log bucket is a storage container within Cloud Logging that holds logs (e.g., _Required, _Default). A log sink is a configuration that routes logs from a bucket to a destination like Cloud Storage, BigQuery, or Pub/Sub.
No, Data Access logs incur charges based on the volume of log data ingested into Cloud Logging. Admin Activity and System Event logs are free.
No, once a project is deleted, its logs are also deleted after the retention period. You should export logs to Cloud Storage or BigQuery before deletion if you need them later.
You've just covered Cloud Audit Logging and Compliance — now see how well it sticks with free GCDL practice questions. Full explanations included, no account needed.
Done with this chapter?