CoursesGCP securityDetection & Security Command Center

Audit logs & immutable trails

Aggregated sinks to a locked logging project.

Advanced30 min · lesson 10 of 15

You cannot respond to what you cannot see, and you cannot trust evidence an attacker could edit. The foundation of GCP detection and incident response is a complete, centralized, tamper-resistant audit trail — captured org-wide via an aggregated sink and protected in a locked bucket almost nobody can touch.

Know the log types

Cloud Audit Logs come in four streams. Admin Activity (always on) records configuration and permission changes. Data Access (opt-in, except BigQuery) records reads and writes to resource data — enable it where you need data-plane visibility, accepting the volume. System Event records Google-initiated changes, and Policy Denied records requests blocked by security controls like VPC Service Controls. Together they answer "who did what, to which resource, when, and from where".

an aggregated org sink to a locked bucket
# Route every project's logs to a central bucket in the logging project.
gcloud logging sinks create org-audit \
storage.googleapis.com/acme-org-audit \
--organization=ORG_ID --include-children \
--log-filter='logName:"cloudaudit.googleapis.com"'
# Lock the log bucket's retention so nobody — including admins — can delete
# entries before retention expires (tamper-resistant evidence).
gcloud logging buckets update _Default --location=global \
--retention-days=400 --locked

Segregate and alert on blinding

Deliver logs to a dedicated logging project (or an external SIEM) with minimal human access, so a workload compromise cannot reach its own audit record, and lock the destination’s retention so the trail is write-once. Then alert on the meta-events — a sink being deleted, Data Access logging being disabled, retention being unlocked — because an attacker who understands the trail tries to blind it first. "Someone changed logging configuration" is one of the highest-signal detections you can have.

Trustworthy audit pipeline
capture
Admin Activity (always on)
config + permission changes
Data Access (opt-in)
reads/writes where needed
protect
aggregated sink → logging project
workloads cannot reach it
locked bucket retention
write-once evidence
watch
alert on sink/retention/Data-Access changes
blinding is loud
A trail an attacker can delete or unlock is not evidence. Segregation + locked retention + alerting make it one.
Logs in the compromised project are deletable
If audit logs stay only in the project that generated them, an attacker who owns that project can tamper with the evidence. Aggregate to a separate logging project with locked retention and near-zero human access — evidence integrity is an architecture decision, not a toggle.