VPC Service Controls
Start course

This course looks at logging and monitoring access control on Google Cloud Platform. We start by looking at monitoring IAM, and you'll also learn about the IAM permissions and roles that apply specifically to monitoring. A demonstration from the GCP cloud console will show you how to grant monitoring permissions through role assignments.

Then we'll move on to monitoring access control via VPC Service Controls as well as covering cloud logging access control. We’ll start with an overview, before taking a closer look at specific IAM roles and permissions that are used to grant access to Cloud Logging. Finally, we'll look at Logs Explorer permissions and show which permissions you need to export logs.

Learning Objectives

  • Get a solid understanding of monitoring and logging access control on GCP
  • Learn about the IAM permissions and roles for monitoring
  • Learn how to monitor access control using VPC Service Controls
  • Understand the roles and permissions used to grant access to cloud logging
  • Learn Logs Explorer permissions for exporting logs

Intended Audience

This course is intended for anyone who wants to learn how to configure logging and monitoring access control on the GCP platform.


To get the most out of this course, you should have some experience of using GCP, as well as knowledge of IAM principles.


Before we wrap up this section on Monitoring access, let’s talk a little bit about VPC Service Controls. While most access to Monitoring is granted through the use of IAM roles, VPC Service Controls can also be used to further manage access to monitoring data.

Using VPC Service Controls in addition to IAM roles allows you to further secure Cloud Monitoring, while reducing the risk of data theft. You can accomplish this by adding Workspaces to Service Perimeters. These Service Perimeters, in turn, protect your Cloud Monitoring services and resources from requests that come from outside your perimeter.

You can configure VPC Service Controls perimeters in either Enforced mode or in Dry Run mode. The Enforced Mode, which is the default mode, will deny requests to protected Monitoring resources and services if those requests originate from outside the perimeter, while the Dry Run mode is used mainly to test your perimeter configuration and to simply monitor access to resources and services, without blocking that access.


So, while IAM roles do play a major role in access control to Monitoring data, VPC Service Controls can also play a role as well.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.