gcp-audit-logs
npx machina-cli add skill BagelHole/DevOps-Security-Agent-Skills/gcp-audit-logs --openclawFiles (1)
SKILL.md
1.6 KB
GCP Audit Logs
Audit GCP activity with Cloud Audit Logs.
Audit Log Types
log_types:
admin_activity:
- Always enabled
- API calls that modify resources
- No charge
data_access:
- Must be enabled
- Read/write data operations
- Can be high volume
system_event:
- Always enabled
- GCP system actions
policy_denied:
- Always enabled
- Access denials
Enable Data Access Logs
# Enable for all services
gcloud logging sinks create audit-sink \
storage.googleapis.com/audit-logs-bucket \
--log-filter='logName:"cloudaudit.googleapis.com"'
# IAM policy for data access logs
gcloud projects get-iam-policy PROJECT_ID > policy.yaml
# Add auditConfigs section
gcloud projects set-iam-policy PROJECT_ID policy.yaml
BigQuery Analysis
-- Query audit logs from BigQuery export
SELECT
timestamp,
protopayload_auditlog.authenticationInfo.principalEmail,
protopayload_auditlog.methodName,
resource.labels.project_id
FROM `project.dataset.cloudaudit_googleapis_com_activity_*`
WHERE timestamp > TIMESTAMP_SUB(CURRENT_TIMESTAMP(), INTERVAL 7 DAY)
AND protopayload_auditlog.methodName LIKE '%delete%'
ORDER BY timestamp DESC
Best Practices
- Export to BigQuery for analysis
- Configure log retention
- Enable data access logs for sensitive resources
- Set up alerting policies
Source
git clone https://github.com/BagelHole/DevOps-Security-Agent-Skills/blob/main/compliance/auditing/gcp-audit-logs/SKILL.mdView on GitHub Overview
Configure Cloud Audit Logs to track GCP activity for compliance and security. This skill covers the four audit log types, how to route logs with sinks, and how to analyze them in BigQuery to support audits and incident investigations.
How This Skill Works
GCP activity is captured through admin_activity, data_access, system_event, and policy_denied logs. You create a log sink to export these logs (for example to a Cloud Storage bucket) and adjust the project's IAM policy to enable data access logging. You then analyze the exported data in BigQuery using SQL queries such as the provided sample to identify recent events like deletes.
When to Use It
- When you need to review who changed resources in GCP (admin activity)
- When you require visibility into data access operations for sensitive data
- When enforcing compliance by exporting and retaining logs
- When investigating security incidents or access denials (policy_denied)
- When performing BigQuery-based audits and reporting
Quick Start
- Step 1: Enable the desired audit log types and create a sink (example: gcloud logging sinks create audit-sink storage.googleapis.com/audit-logs-bucket --log-filter='logName:"cloudaudit.googleapis.com"' )
- Step 2: Update IAM policy to enable data access logs: gcloud projects get-iam-policy PROJECT_ID > policy.yaml; modify policy.yaml to add auditConfigs, then run gcloud projects set-iam-policy PROJECT_ID policy.yaml
- Step 3: Analyze logs in BigQuery using the provided SQL against project.dataset.cloudaudit_googleapis_com_activity_* for the last 7 days
Best Practices
- Export to BigQuery for analysis
- Configure log retention
- Enable data access logs for sensitive resources
- Set up alerting policies
- Use targeted log filters to limit captured data
Example Use Cases
- Auditing admin activity across multiple GCP projects
- Enabling and reviewing data access logs for a sensitive dataset (e.g., Cloud Storage objects)
- Exporting audit logs to BigQuery for security reporting
- Investigating a delete operation with a specific methodName
- Setting up an audit sink to a Cloud Storage bucket for long-term retention
Frequently Asked Questions
Add this skill to your agents
