Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Data Access Audit Logs for Cloud Tasks Resources

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To ensure security, compliance, and effective troubleshooting, enable Data Access audit logs for your Cloud Tasks resources (queues and tasks). Google Cloud Tasks provides two main types of audit logs:

  1. Admin Activity audit logs: These logs capture operations that modify the configuration or metadata of resources, such as creating or deleting Cloud Tasks queues. Admin Activity audit logs are enabled by default and cannot be turned off.
  2. Data Access audit logs: These logs track operations not covered by Admin Activity logs. Data Access audit logs include the following sub-types:
    • - ADMIN_READ: Logs operations that read metadata or configuration information. This is useful for auditing who has read-only access to the configurations or settings of your Cloud Tasks resources.
    • - DATA_READ: Logs operations that read user-provided data. This is useful for tracking read interactions with your Cloud Tasks resources.
    • - DATA_WRITE: Logs operations that write user-provided data. This is critical for tracking changes to your Cloud Tasks configuration and resources.
Unlike Admin Activity logs, Data Access audit logs are disabled by default and must be explicitly enabled.
Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling Data Access audit logs for Cloud Tasks is crucial for ensuring compliance, strengthening security, promoting accountability, and streamlining troubleshooting efforts. By actively monitoring and analyzing activity for your Cloud Tasks resources, you can gain valuable insights that enable swift detection and response to potential security threats. In Google Cloud Platform (GCP), Data Access audit logs capture API calls that access resource configurations or metadata, along with user-initiated API calls that create, modify, or read data provided by users.

Audit

To determine if Data Access audit logs are enabled for your Cloud Tasks resources, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Cloud Tasks API, and press Enter.

06 Select the Cloud Tasks API service to show the info panel for the selected GCP service.

07 Choose the PERMISSION TYPES tab and check the log types configured for Cloud Tasks API to determine what types of operations are recorded in your Data Access audit logs for the selected service. If Admin Read, Data Write, and Data Read log types are not enabled (i.e., the log type checkboxes are not selected), Data Access audit logs are disabled for your Cloud Tasks resources.

08 Repeat steps no. 2 – 7 for each project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the IAM policy created for the selected project. The project's IAM policy includes includes the auditConfigs configuration object, which contains the configuration parameters for Data Access audit logs. 

gcloud projects get-iam-policy cc-project5-123123
	--format="yaml(auditConfigs)"

04 The command output should return the IAM policy defined for the GCP project (including the auditConfigs object): 

auditConfigs:

- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: compute.googleapis.com

- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: storage.googleapis.com

If the projects get-iam-policy command output returns null, Data Access audit logs are not enabled for the Google Cloud services and APIs supported within the selected GCP project. If the command output returns the auditConfigs configuration object, as shown in the example above, audit logs are enabled for certain services and APIs. If ADMIN_READ, DATA_READ, and DATA_WRITE log types are not listed for service: cloudtasks.googleapis.com, Data Access audit logs are disabled for your Cloud Tasks resources.

05 Repeat steps no. 3 and 4 for each project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To enable Data Access audit logs for your Google Cloud Tasks resources, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Cloud Tasks API, and press Enter.

06 Select the Cloud Tasks API service to display the info panel for the selected GCP service.

07 Choose the PERMISSION TYPES tab, check the Admin Read, Data Write, and Data Read checkboxes, and choose SAVE to apply the changes. This will enable Data Access audit logs for all the Cloud Tasks resources available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Edit the IAM policy associated with your GCP project and add the "auditConfigs" object to the existing policy as configured below. Save the IAM policy document to a JSON file named cc-enable-data-access-audit-logs.json. If audit logs are already enabled for other GCP services, just add the "auditLogConfigs" object to the existing "auditConfigs". The example below demonstrates Data Access audit logs enabled exclusively for Cloud Tasks resources: 

"auditConfigs": [
	{
		"auditLogConfigs": [
			{
				"logType": "ADMIN_READ"
			},
			{
				"logType": "DATA_READ"
			},
			{
				"logType": "DATA_WRITE"
			}
		],
		"service": "cloudtasks.googleapis.com"
	}
]

02 Run projects set-iam-policy command (Windows/macOS/Linux) with the name of the GCP project that you want to configure as the identifier parameter, to update the associated IAM policy in order to enable Data Access audit logs for all the Cloud Tasks resources available in the selected GCP project: 

gcloud projects set-iam-policy cc-project5-123123 cc-enable-data-access-audit-logs.json

03 The command output should return the modified IAM policy document: 

Updated IAM policy for project [cc-project5-123123].
auditConfigs:
- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: cloudtasks.googleapis.com
bindings:
- members:
	- user:username@domain.com
	role: roles/cloudtasks.viewer
etag: abcdabcdabcd
version: 1

04 Repeat steps no. 1 – 3 for each GCP project available within your Google Cloud Platform (GCP) account.

References

Publication date Mar 27, 2025

Related CloudTasks rules