Overview

In this lab, you investigate Google Cloud Audit Logs. Cloud Audit Logging maintains multiple audit logs for each project, folder, and organization, all of which help answer the question, "Who did what, when, and where?"

Objectives

In this lab, you learn how to:

• Enable data access logs on Cloud Storage.
• Generate admin and data access activity.
• View Audit logs.

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details panel.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details panel.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left, or type the service or product name in the Search field.

After you complete the initial sign-in steps, the project dashboard appears.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

   

2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

• You can list the active account name with this command:

gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net

• You can list the project ID with this command:

gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

Task 1. Enable data access logs on Cloud Storage

In this task, you enable data access logs on Cloud Storage to track operations that read or write user-provided data, as well as metadata and configuration information.

1. In the Google Cloud console, in the Navigation menu () click IAM & Admin > Audit Logs.

2. Scroll or use Filter to locate Google Cloud Storage, then check the box next to it. This should display the Info Panel with options on LOG TYPES.

Data Access audit logs are divided into different categories:

• Admin Read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information. They can't be disabled.
• Data Read: Records operations that read user-provided data.
• Data Write: Records operations that write user-provided data.

3. Select Admin Read, Data Read and Data Write, and then click Save.

Click Check my progress to verify the objective. Enable data access logs on Cloud Storage

Task 2. Generate some admin and data access activity

In this task, you generate admin and data access activity by creating a storage bucket. You then upload a file, create a network and VM, and then delete the storage bucket.

1. Open or switch to your Cloud Shell terminal.

2. Use gcloud storage to create a Cloud Storage bucket with the same name as your project. If prompted, click Authorize:

gcloud storage buckets create gs://$DEVSHELL_PROJECT_ID

3. Make sure the bucket successfully created:

gcloud storage ls

4. Create a simple "Hello World" type of text file and upload it to your bucket:

echo "Hello World!" > sample.txt gcloud storage cp sample.txt gs://$DEVSHELL_PROJECT_ID

5. Verify the file is in the bucket:

gcloud storage ls gs://$DEVSHELL_PROJECT_ID

6. Create a new auto mode network named mynetwork, then create a new virtual machine and place it on the new network:

gcloud compute networks create mynetwork --subnet-mode=auto gcloud compute instances create default-us-vm \ --zone={{{project_0.default_zone|Zone}}} --network=mynetwork \ --machine-type=e2-medium

Click Check my progress to verify the objective. Check the creation of bucket, network and virtual machine instance

7. Delete the storage bucket:

gcloud storage rm -r gs://$DEVSHELL_PROJECT_ID

Task 3. Viewing audit logs

In this task, you view and explore both Admin Activity and Data Access audit logs in the Logs Explorer, examining the details of logged events such as bucket deletion and data access operations. You then read the Data Access logs using the Cloud SDK.

Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. For example, the logs record when VM instances and App Engine applications are created, or when permissions are changed. To view the logs, you must have the Cloud Identity and Access Management roles Logging/Logs Viewer or Project/Viewer.

Admin Activity logs are always enabled so there is no need to enable them. There is no charge for your Admin Activity audit logs.

1. In the Google Cloud console, in the Navigation menu () click View all products > Observability > Logging.

2. In Logs Explorer, enable Show query and delete the contents of Query box.

3. Click the All log names dropdown and use the filter to locate the activity log under Cloud Audit section and Apply it to the query.

4. Press the Run query button, and then use the Log fields explorer to filter to GCS Bucket entries.

5. Locate the log entry for when the Cloud Storage was deleted.

6. Expand the delete entry, then drill into protoPayload > authenticationInfo field and notice you can see the email address of the user that performed this action.

   Feel free to explore other fields in the entry. Also, notice how many of the values can be clicked to add inclusions/exclusions to the query.

7. Delete the existing query and use All log names to view the data_access logs.

What operations can you see now?

Click Check my progress to verify the objective. Viewing audit logs

Using the Cloud SDK

Log entries can also be read using the Cloud SDK command:

Example:

gcloud logging read [FILTER]

1. Switch to or reopen a Cloud Shell terminal.

2. If we wanted to see those same data access logs using the command line, we could run the following:

gcloud logging read \ "logName=projects/$DEVSHELL_PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access"

Congratulations!

In this exercise, you examined and worked with Google Cloud's Audit Logs. Now you can do a better job figuring out exactly who did what, when. Nice job.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.