Enable GCP Audit Logs with Terraform
Overview
When you start managing GCP resources with Terraform, you need to care about the security. GCP provides Audit Logs for most of the services. However, some of the important Audit Logs are not enabled by default. In this post, I’ll briefly explain GCP Audit Logs and how to configure them with Terraform.
GCP Audit Logs Overview
As you can check in details in the official doc, GCP provides four types of Audit Logs, three of which are enabled by default and cannot be disabled by users.
- Admin Activity audit logs: enabled by default and cannot be disabled ✅
- Data Access audit logs: disabled by default ⚠️
- System Event audit logs: enabled by default and cannot be disabled ✅
- Policy Denied audit logs: enabled by default and cannot be disabled ✅
So we need to consider the remaining one, Data Access audit logs.
GCP Data Access audit logs
In Data Access audit logs, there are four types of audit based on the operations:
- ADMIN_WRITE: Enabled by default and cannot be disabled ✅
- ADMIN_READ: Records operations that read metadata or configuration information.
- DATA_READ: Records operations that read user-provided data.
- DATA_WRITE: Records operations that write user-provided data.
So what we need to do is to enable theADMIN_READ, DATA_READ, and DATA_WRITE operations.
Configure Data Access audit logs on GCP Console
Configure for each service
- Open Audit Logs on GCP console. Please note that you can configure Audit Logs at different levels; Organization, Folder, and, Project (If you are not familiar with the GCP organization structure, you can read this), so make sure that you’re setting at the proper level.
- You can enable/disable each of the
ADMIN_READ,DATA_READ, andDATA_WRITEoperations for each service.
Configure default value
- Open Audit Logs on GCP console with the level at which you want configure.
- Click on
DEFAULT AUDIT CONFIGat the top of the page. - Enable or disable each of
ADMIN_READ,DATA_READ, andDATA_WRITEoperations.
DEFAULT AUDIT CONFIG at the top of the page.
ADMIN_READ, DATA_READ, and DATA_WRITE operations.Configure Data Access audit logs with Terraform
If your organization uses Terraform to manage GCP resources, you might want to configure Data Access audit logs with Terraform as well. Here’s what you want.
The Terraform resource to use depends on which level to configure the Data Access audit logs:
- Project: google_project_iam_audit_config
- Folder: google_folder_iam_audit_config
- Organization: google_organization_iam_audit_config
Note that you need to choose proper level base on the unit that you manage GCP resource with Terraform.
For example, if you manage GCP resources project by project, it completely makes no sense if you try to configure the audit log at Organization level in the same Terraform code. It’d be better to separate one for organization-wise resource management.
I’ll share an example for a project, as I suppose that it’s common to separate Terraform for each project in most cases.
The following example is to enable audit logs for all the operations for all services.
allServices is a special value to cover all the services.
You can also configure audit logs for each service (e.g. cloudsql.googleapis.com for Cloud SQL). For more details, please read the Terraform documentation.
Summary
In this post, I briefly explained what Audit Logs in GCP and how to configure them. Data Access Audit logs are disabled by default as its cost depends on the usage. So please take the cost into consideration when you enable the Audit Logs for the heavily used services.
I hope this post will be helpful for you, if you liked this post, please give me claps, share it with others, and follow me!