Profile Applicability:

Level 2

Description:

Google Cloud Access Transparency provides audit logs that record actions performed by Google personnel on your organization's Google Cloud resources. These logs include details of the action, the time, and the justification for the access.

Rationale:

Access Transparency strengthens security and trust by providing visibility into actions performed by Google employees on your projects. It allows organizations to verify:

  • Who accessed the resources

  • When the access occurred

  • Why the access was needed
    This capability is essential for compliance, security audits, and ensuring data privacy.

Impact:

  • Requirements:

    • Access Transparency requires a support plan at one of the following levels: Premium, Enterprise, Platinum, or Gold.

    • Additional costs may be incurred for the support subscription and log storage.

  • Irreversibility:

    • Once enabled, Access Transparency cannot be disabled without submitting a service request to Google Cloud Support.

Default Value:

Access Transparency is not enabled by default.

Audit Steps:

Using Google Cloud Console:

  1. Go to Google Cloud Home and click on the Navigation menu.

  2. Hover over IAM & Admin and select Settings.

                     

  1. Check the Access Transparency status under its heading.

    • The status should display as Enabled.

               

Remediation Steps:

Using Google Cloud Console:

Step 1: Grant Access Transparency Admin Privileges:
  1. Navigate to IAM & Admin > IAM.

                 

  1. Click the +Add button.

                   

  1. In the Principals field, enter the email address of the user or group.

                   

  1. In the Role field, type and select Access Transparency Admin.

                     

  1. Click Save.

                            

Step 2: Verify Billing Association:
  1. Navigate to Billing in the Google Cloud Console.

                          

  1. Confirm that the project is linked to a billing account.

                         

  • If not, associate the project with a billing account or switch to another project with billing enabled.

Step 3: Enable Access Transparency:
  1. Go to IAM & Admin > Settings.

                       

  1. Click the Enable Access Transparency for Organization button.

Additional Information:

  • Eligibility: Organizations must have a Premium, Enterprise, Platinum, or Gold support plan to enable Access Transparency.

  • Log Scope: Logs cover access to supported services by Google personnel.

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Ensure that audit logs are collected across enterprise assets to support logging and monitoring requirements.

8.5 Collect Detailed Audit Logs

Configure detailed audit logging for assets with sensitive data to assist in forensic investigations.


6.2 Activate Audit Logging

Enable audit logging on all systems and networking devices.

6.3 Enable Detailed Logging

Enable system logging to capture event sources, timestamps, and other details for monitoring and forensics.