IAM default audit log config should not exempt any users¶
A project’s default audit log config should not exempt any users, to ensure that user admin write operations and data access operations are appropriately logged.
Google Cloud Console¶
Navigate to Audit Logs.
Click on Set Default Configuration at the top of the page.
In the Exempted Users tab, hover over a user name and select the trash icon that appears.
Once the user’s name is shown in strikethrough text, click Save.
Run the following command to read the project’s IAM policy:
gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml
Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.
gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
Edit policy in /tmp/policy.yaml and remove
To write new IAM policy run the following command:
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml