IAM default audit log config should include ‘DATA_READ’ and ‘DATA_WRITE’ log types

Description

A best practice is to enable ‘DATA_READ’ and ‘DATA_WRITE’ data access log types as part of the default IAM audit log config, so that read and write operations on user-provided data are tracked across all relevant services. Please note that the ‘ADMIN_WRITE’ log type and BigQuery data access logs are enabled by default.

Remediation Steps

Google Cloud Console

  • Navigate to Audit Logs.

  • Click on Set Default Configuration at the top of the page.

  • In the Log Type tab, select the Data Write and Data Read boxes.

  • Click Save.

gcloud CLI

  • Run the following command to read the project’s IAM policy:

    • gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml

  • Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.

gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
  • Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:

auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  service: allServices
  • To write new IAM policy run the following command:

gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml