This document introduces log buckets, which are the containers that Cloud Logging uses to store your log data. It provides information about location, management of the encryption key, and data retention for log buckets. It also highlights where you can use organization policies or default resource settings to control the location and encryption for new log buckets in folders or organizations.
About log buckets
By default, Cloud Logging encrypts customer content stored at rest. Data stored in log buckets by Logging is encrypted using key-encryption keys, a process known as envelope encryption. Access to your logging data requires access to those key-encryption keys. By default, these are Google Cloud-powered encryption keys and they don't require any actions on your part.
Your organization might have regulatory, compliance-related, or advanced encryption requirements that our default encryption at rest doesn't provide. To meet your organization's requirements, instead of using Google Cloud-powered encryption keys, you can manage your own keys.
Log buckets are regional resources with a fixed location. Cloud de Confiance by S3NS manages that infrastructure so that your applications are available redundantly across the zones within that region.
The retention period for the data stored by a log bucket depends on the log bucket. This document contains information about data retention.
You can create log views on a log bucket. A log view provides access to only a subset of the log data stored in a log bucket. For every log bucket, Cloud Logging automatically creates one log view that provides access to every log entry in the log bucket. You control access to a log view by using Identity and Access Management (IAM).
To query and view your log data, use the Logs Explorer. This page helps you troubleshoot and analyze the performance of your services and applications. You can view individual log entries and filter your log data. This interface has a scope setting, which lets you search for log data by project, log bucket, or log view.
To learn more, see Query and view log entries.
Support for organizations and folders
To help your organization meet compliance and regulatory needs, Logging supports both organization policies and default resource settings:
- Default resource settings specify the location and how encryption keys are managed for system-created log buckets when new resources are created in a folder or organization. For example, you can force these system-created log buckets to be in a specific location. 
- An organization policy can restrict the location of new user-defined log buckets. Logging supports organization policies that specify regions where log buckets can, or can't, be created. 
System-created log buckets
For each Cloud de Confiance project, billing account, folder, or organization,
Cloud Logging creates two log buckets, one named _Required and the
other named _Default. Unless default resource settings
are configured, for these log buckets, these buckets have
Google Cloud-powered encryption keys and Cloud Logging selects their
location.
You can't delete the system-created log buckets.
_Required log bucket
The _Required log bucket stores log entries that are required for compliance
or auditing purposes. For this reason, you can't delete this log bucket and you
can't modify which log entries are stored in this log bucket.
Log entries in this log bucket are retained for
400 days; you can't change this retention period.
The log entries that are stored in the _Required log bucket for a resource
also originate in that resource. That is, the _Required log bucket in
a Cloud de Confiance project can only store log entries that originate in that
project.
The _Required log bucket stores the following types of log entries:
- Admin Activity audit logs
- System Event audit logs
- Google Workspace Admin Audit logs
- Enterprise Groups Audit logs
- Login Audit logs
_Default log bucket
The _Default log bucket stores log entries that aren't automatically
stored in the _Required log bucket. Because the _Default log bucket is
system created, you can't delete it. However, you can
modify which log entries are stored in this log bucket.
_Default bucket for
30 days.
For example, this log bucket stores:
- Data Access audit logs.
- Policy Denied audit logs.
- Logs generated by applications and Cloud de Confiance by S3NS services.
User-defined log buckets
You can create user-defined log buckets in any Cloud de Confiance project. When you create a user-defined log bucket, you select the location. You have the option to provide a customer-managed encryption key.
You can modify and delete user-defined log buckets. To protect against deleting a log bucket that stores log entries that are within their retention period, you can lock the log bucket against updates.
Control access to a log bucket
IAM permissions and roles control access to log data. For example, you can do all of the following:
- Grant read and edit access to a log bucket.
- Grant edit access to a log bucket based on group membership by using tags.
- Control access to specific fields in a log entry by configuring field-level access on a log bucket.
- Grant access to a subset of log entries in a log bucket by creating a log view on that log bucket. - Every log bucket has a default log view, which typically includes every log entry in the log bucket. For the - _Defaultlog bucket, the default log view excludes data access log entries.
To give a user the permissions they need to view and analyze log entries, typically one of the following IAM roles is granted:
- Logs Viewer ( - roles/logging.viewer) role: Grants access to all log entries in the- _Requiredbucket, and access to the default log view on the- _Defaultbucket.
- Private Logs Viewer ( - roles/logging.privateLogViewer) role: Grants access to all logs in the- _Requiredand- _Defaultbuckets, including data access logs.
If you create user-defined log buckets or log views on log buckets, then additional permissions are required. For more information about roles, see Access control with IAM.
List of supported regions
Log buckets are regional resources. The infrastructure that stores,
indexes, and searches your log entries is located in a specific geographical
location. With the exception of log buckets in the global, eu, or us
regions, Cloud de Confiance by S3NS manages the infrastructure so that your applications
are available redundantly across the zones within the region of the log bucket.
The following regions are supported by Cloud Logging:
| Region name | Region description | 
|---|---|
| u-france-east1 | France | 
| global | Logs stored in any data centers that are in any supported region. Logs might be moved to different data centers. No additional redundancy guarantees. If you want to choose the storage location for your log data, then use a regional log bucket. |