Cloud Monitoring Access Control
Cloud Logging Access Control
This course looks at logging and monitoring access control on Google Cloud Platform. We start by looking at monitoring IAM, and you'll also learn about the IAM permissions and roles that apply specifically to monitoring. A demonstration from the GCP cloud console will show you how to grant monitoring permissions through role assignments.
Then we'll move on to monitoring access control via VPC Service Controls as well as covering cloud logging access control. We’ll start with an overview, before taking a closer look at specific IAM roles and permissions that are used to grant access to Cloud Logging. Finally, we'll look at Logs Explorer permissions and show which permissions you need to export logs.
- Get a solid understanding of monitoring and logging access control on GCP
- Learn about the IAM permissions and roles for monitoring
- Learn how to monitor access control using VPC Service Controls
- Understand the roles and permissions used to grant access to cloud logging
- Learn Logs Explorer permissions for exporting logs
This course is intended for anyone who wants to learn how to configure logging and monitoring access control on the GCP platform.
To get the most out of this course, you should have some experience of using GCP, as well as knowledge of IAM principles.
Before you can begin using Logging with logging data in a project in GCP, you need to be a member and you need to be assigned an IAM role that grants you the necessary permissions to use Logging. These IAM permissions and roles are used to determine who can use the Logging API, the Logs Explorer, and the gcloud command-line tool.
There are several IAM roles that apply to Logging. They include Logs Viewer, Private Logs Viewer, Logs Writer, Logs Buckets Writer, and Logs Configuration Writer. We also have the Logs Configuration Writer role, the Logging Admin role, the Logs View Accessor role, and the Project Viewer role. Rounding out the list are Project Editor and Project Owner.
The table on your screen shows each role and what access each provides.
For example, you can see here that the Logs Viewer role provides read-only access to all Logging features, except for Access Transparency logs and Data Access audit logs. The Private Logs Viewer role grants access to the Access Transparency logs and to Data Access audit logs, in addition to the access granted by the Logs Viewer role.
The Logs Writer role is granted to a service account in order to allow the associated application to write logs, while Logging Admin, as you might expect, grants all permissions related to logging.
Further down the list here, we have the project-related roles. As we see here, the Project Viewer role actually provides the same permissions as the Logs Viewer role, but it applies only to the _Required and _Default buckets.
Project Editor includes everything the Logs Viewer role does, but also provides permission to write log entries, delete logs, and to create logs-based metrics.
And lastly, we have the Project Owner role that grants full access to Logging, including Access Transparency logs and Data Access audit logs.
While I wouldn’t expect you to have to memorize all of these, you should familiarize yourself with them.
Join me in the next lesson, where we will take a look at the specific permissions that are granted by each role.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.