IAM default audit log config should include ‘DATA_READ’ and ‘DATA_WRITE’ log types¶
A best practice is to enable ‘DATA_READ’ and ‘DATA_WRITE’ data access log types as part of the default IAM audit log config, so that read and write operations on user-provided data are tracked across all relevant services. Please note that the ‘ADMIN_WRITE’ log type and BigQuery data access logs are enabled by default.
Google Cloud Console¶
Navigate to Audit Logs.
Click on Set Default Configuration at the top of the page.
In the Log Type tab, select the Data Write and Data Read boxes.
Run the following command to read the project’s IAM policy:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:
auditConfigs: - auditLogConfigs: - logType: DATA_WRITE - logType: DATA_READ service: allServices
To write new IAM policy run the following command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml