Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Audit logging

This page describes how audit logging works when securing the Cloud de Confiance console and the Cloud de Confiance by S3NS APIs with Access Context Manager.

Access Context Manager by default logs all access requests to the Cloud de Confiance console and the Cloud de Confiance by S3NS APIs that are denied because of security policy violations to Cloud Logging. The audit log records are securely stored in Google infrastructure and available for future analysis. The content of the audit log is available on a per-organization basis in the Cloud de Confiance console. The Access Context Manager audit log is written into the "Audited Resource" logging stream and is available in Cloud Logging.

Audit log record content

Each audit log record contains information which can be divided into two major categories: the information about the original call, and information about security policy violations. It is filled as follows:

Audit Log Field	Meaning
`logName`	The organization identification and audit log type.
`serviceName`	The name of the service handling the call, `contextawareaccess.googleapis.com`, that resulted in the creation of this audit record.
`authenticationInfo.principal_email`	Email address of the user issuing the original call.
`timestamp`	The time of the targeted operation.
`resource`	The target of the audited operation.
`resourceName`	The organization intended to receive this audit record.
`requestMetadata.callerIp`	The IP address from which the call originated.
`requestMetadata.requestAttributes.auth.accessLevels`	The active access levels satisfied by the request.
`status`	The overall status of handling an operation described in this record.
`metadata`	An instance of `google.cloud.audit.ContextAwareAccessAuditMetadata` protobuf type, serialized as a JSON Struct. Its 'unsatisfiedAccessLevels' field contains a list of the access levels that the request failed to satisfy.

Accessing the audit log

The content of the audit log is available on a per-organization basis in the Cloud de Confiance console. The Access Context Manager audit log is written into the "Audited Resource" logging stream and is available in Cloud Logging.

What's next

Learn more about Cloud Audit Logs.
Learn more about Enabling Cloud Audit Logs in Identity-Aware Proxy.
Learn more about Audit Logging in VPC Service Controls.