How to Enable Cloud Audit Logs in GCP

Cloud Audit Logs provide a comprehensive record of all administrative actions and data access events in your Google Cloud environment. These logs are essential for security monitoring, compliance audits, forensic investigations, and understanding who did what, when, and where across your cloud infrastructure.

This guide covers enabling audit logs, configuring Data Access logging, setting up exports, and establishing retention policies. For foundational security practices including logging best practices, see our 30 Cloud Security Tips for 2026 guide.

Understanding Cloud Audit Log Types

GCP provides four types of audit logs:

• Admin Activity logs - API calls that modify resources (always on, free, 400-day retention)
• Data Access logs - API calls that read data or metadata (configurable, may incur costs)
• System Event logs - Google-initiated system events (always on, free, 400-day retention)
• Policy Denied logs - Actions denied by VPC Service Controls or Organization Policies

Step 1: View Existing Audit Logs

Before configuring additional logging, review what's already being captured:

- Navigate to the [Cloud Logging Console](https://console.cloud.google.com/logs) - In the Query builder, enter:

logName:"cloudaudit.googleapis.com"

Copy
- Click **Run Query** to see all audit log entries

To filter by log type:

# Admin Activity logs only
logName:"cloudaudit.googleapis.com%2Factivity"

# Data Access logs only
logName:"cloudaudit.googleapis.com%2Fdata_access"

# System Event logs only
logName:"cloudaudit.googleapis.com%2Fsystem_event"

Step 2: Enable Data Access Audit Logs

Data Access logs are disabled by default for most services. Enable them for security-critical services:

Option A: Enable via Console (Project Level)

- Go to [IAM & Admin > Audit Logs](https://console.cloud.google.com/iam-admin/audit) - Find the service you want to audit (e.g., Cloud Storage, BigQuery, Compute Engine) - Check the boxes for the log types to enable:

• Admin Read - Read-only operations that return metadata

• Data Read - Operations that read user data

• Data Write - Operations that write user data

• Click Save

Option B: Enable via gcloud CLI

# Get current audit config
gcloud projects get-iam-policy PROJECT_ID --format=json > policy.json

# Edit policy.json to add auditConfigs section, then apply:
gcloud projects set-iam-policy PROJECT_ID policy.json

Example auditConfigs section for policy.json:

{
  "auditConfigs": [
    {
      "service": "storage.googleapis.com",
      "auditLogConfigs": [
        { "logType": "ADMIN_READ" },
        { "logType": "DATA_READ" },
        { "logType": "DATA_WRITE" }
      ]
    },
    {
      "service": "bigquery.googleapis.com",
      "auditLogConfigs": [
        { "logType": "ADMIN_READ" },
        { "logType": "DATA_READ" },
        { "logType": "DATA_WRITE" }
      ]
    }
  ]
}

Option C: Enable at Organization Level

For consistent logging across all projects:

- Navigate to **IAM & Admin > Audit Logs** at the organization level - Select **Default Audit Config** at the top - Enable log types that should apply to all services by default - Individual service configurations override the default

Recommendation: Enable Data Access logs for IAM, Cloud Storage, BigQuery, Secret Manager, Cloud KMS, and any services storing sensitive data. Monitor costs for high-volume services.

Step 3: Create Log Sinks for Export

Export audit logs to long-term storage for compliance and forensics:

Export to Cloud Storage

- Go to [Logging > Log Router](https://console.cloud.google.com/logs/router) - Click **Create Sink** - Configure the sink:

• Sink name: audit-logs-archive

• Sink destination: Cloud Storage bucket

• Bucket: Select or create a bucket (use Standard class for long-term)

• Set the inclusion filter:

logName:"cloudaudit.googleapis.com"

Copy
• Click Create Sink

Export to BigQuery

For queryable log analysis:

- In Log Router, click **Create Sink** - Configure:

• Sink name: audit-logs-bigquery

• Sink destination: BigQuery dataset

• Dataset: Select or create a dataset

• Enable "Use partitioned tables" for better query performance

• Set the filter: logName:"cloudaudit.googleapis.com"

• Click Create Sink

Export to Security Command Center

For integrated security analysis, audit logs automatically flow to Security Command Center if you have Premium tier enabled.

Step 4: Configure Retention Policies

Set appropriate retention for compliance requirements:

Cloud Logging Bucket Retention

- Go to [Logging > Logs Storage](https://console.cloud.google.com/logs/storage) - Click on the **_Default** bucket - Click **Edit Bucket** - Set **Retention period** (1-3650 days) - Optionally enable **Lock retention policy** for immutability (compliance use cases) - Click **Update Bucket**

Note: The _Required bucket (containing Admin Activity and System Event logs) has a fixed 400-day retention that cannot be modified.

Cloud Storage Lifecycle Rules

For exported logs in Cloud Storage, set lifecycle rules:

- Go to the Cloud Storage bucket containing exported logs - Click **Lifecycle** tab - Add rules such as:
• Transition to Nearline after 30 days
• Transition to Coldline after 90 days
• Transition to Archive after 365 days
• Delete after 7 years (adjust for compliance requirements)

Step 5: Create Alerting Policies

Set up alerts for critical security events:

- Go to [Monitoring > Alerting](https://console.cloud.google.com/monitoring/alerting) - Click **Create Policy** - Click **Select a metric** and choose:

• Resource type: Audited Resource

• Metric: Log entries

• Add filters for specific events:

protoPayload.methodName="google.iam.admin.v1.SetIamPolicy"

Copy
• Configure notification channels (email, Slack, PagerDuty)

Recommended alerts to create:

• IAM policy changes at organization level
• Service account key creation
• Firewall rule modifications
• Public access granted to Cloud Storage buckets
• Failed login attempts exceeding threshold

Step 6: Query Audit Logs in BigQuery

Once exported to BigQuery, run security queries:

-- Find all IAM policy changes in the last 7 days
SELECT
  timestamp,
  protopayload_auditlog.authenticationInfo.principalEmail as actor,
  protopayload_auditlog.methodName,
  protopayload_auditlog.resourceName
FROM `project_id.dataset.cloudaudit_googleapis_com_activity_*`
WHERE
  _TABLE_SUFFIX >= FORMAT_DATE('%Y%m%d', DATE_SUB(CURRENT_DATE(), INTERVAL 7 DAY))
  AND protopayload_auditlog.methodName LIKE '%SetIamPolicy%'
ORDER BY timestamp DESC;

-- Find all service account key creations
SELECT
  timestamp,
  protopayload_auditlog.authenticationInfo.principalEmail as actor,
  protopayload_auditlog.resourceName as service_account
FROM `project_id.dataset.cloudaudit_googleapis_com_activity_*`
WHERE
  protopayload_auditlog.methodName = 'google.iam.admin.v1.CreateServiceAccountKey'
ORDER BY timestamp DESC;

Best Practices for Cloud Audit Logs

• Enable Data Access logs for all sensitive services - IAM, Cloud Storage, BigQuery, Secret Manager, Cloud KMS
• Use organization-level sinks - Capture logs from all projects in one location
• Implement log immutability - Lock retention policies for compliance requirements
• Separate security logs from operational logs - Use dedicated buckets/datasets
• Monitor logging costs - Use Cloud Billing reports to track logging expenses
• Create exclusion filters carefully - Document what's excluded and why

Related Resources

• 30 Cloud Security Tips for 2026 - Comprehensive cloud security guide
• How to Set Up Security Command Center - Integrate audit logs with SCC
• Google Cloud Audit Logs Documentation
• Log Router and Sinks Documentation

Need help implementing comprehensive audit logging for compliance? Contact InventiveHQ for expert guidance on cloud security monitoring and SIEM integration.