Audit Logs
Start course

To help you get the most out of the security tools offered in Google Cloud, this Course covers how to properly manage IAM, service accounts, and audit logs.

Learning Objectives

  •  How you can manage identity and access management in GCP
  •  Learn about service accounts, what they mean, and how you can manage them
  •  Audit logs and how to review them

Intended Audience

This Course is intended for cloud administrators. If you are a cloud security practitioner or are involved in any sort of development with GCP, you will also benefit from taking this Course.


  • Completion of Google Cloud Platform Fundamentals course on Cloud Academy or practical working experience with GCP infrastructure
  • Basic proficiency with command-line tools and Linux operating system environments

In this lecture, I am going to cover the basics of audit logs in Google Cloud Platform.

Normally, in a production environment, there are many different users, applications, and resources. All these components are constantly interacting with each other. So what happens when something goes wrong? What if a VM is deleted and you want to know who did it? What if you are denied access to a resource that you should be authorized to manage? With so many things happening at once, it can be almost impossible to figure out what went wrong without having detailed logs.

Google Cloud services maintain audit logs that record all activity and access to your GCP resources. They contain records of all critical events in your system and help answer questions such as: Which resource was accessed? Who accessed the resource? What action was attempted? When did the attempt occur?

There can be hundreds, thousands, or even millions of operations going on in a production environment. That is why Google provides scalable logging and searching tools, all accessible from a single, easy-to-use dashboard. Now because the audit logs are tracking and recording so many different things, they are broken up into four main categories: 

  1. Admin Activity
  2. Data Access 
  3. System Event
  4. Policy Denied

Admin Activity audit logs record any attempts to create, delete or modify your resources. So an example would be provisioning a new Cloud SQL database. Data Access audit logs contain entries for reading or writing data to your resources. So this would be something like reading from or writing data to a Cloud SQL database. System Event audit logs contain entries for Google-initiated actions. These are actions that are triggered by Google that modify the configuration of your resources. System event logs can help you identify if the problem exists in your systems or in Google’s.

Policy Denied audit logs record every time a user or service account is denied access to a resource. You can use these logs to investigate suspicious activity or identify potential issues. All four of these audit logs will help you protect your data and prevent system misuse.

About the Author
Learning Paths

Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.

Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.

When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.