Audit Logging¶
Statement¶
ClaimGuard relies on Google Cloud Audit Logs to record privileged actions
against the production GCP project (train-cvit2).
- Admin Activity logs (every IAM change, every VM lifecycle action, every Secret Manager mutation, etc.) are automatic, immutable, and retained for 400 days.
- System Event and Access Transparency logs flow into the same retention bucket on the same terms.
- Data Access logs (who read what data) are intentionally off at this stage; the cost/noise is not justified at our scale and they are not a SOC 2 Type I requirement. Re-evaluate when we onboard the first customer with contractual data-access auditing requirements.
- Application-level events (the API server's own request log) flow through
Cloud Logging into the
_Defaultbucket with 30-day retention.
Implementation¶
GCP Logging provisions two log buckets per project automatically. ClaimGuard uses the defaults — no custom buckets, no custom sinks beyond the two GCP creates on project creation.
_Required bucket — Admin Activity, locked at 400 days¶
$ gcloud logging buckets describe _Required --location=global --project=train-cvit2
description: Audit bucket
lifecycleState: ACTIVE
locked: true
name: projects/train-cvit2/locations/global/buckets/_Required
retentionDays: 400
locked: true means the retention period cannot be shortened or the bucket
deleted — even by a project owner. This is the GCP guarantee that admin
actions are auditable for 400 days regardless of operator intent.
The default _Required sink routes every log matching the audit log IDs into
this bucket:
LOG_ID("cloudaudit.googleapis.com/activity") OR
LOG_ID("externalaudit.googleapis.com/activity") OR
LOG_ID("cloudaudit.googleapis.com/system_event") OR
LOG_ID("externalaudit.googleapis.com/system_event") OR
LOG_ID("cloudaudit.googleapis.com/access_transparency") OR
LOG_ID("externalaudit.googleapis.com/access_transparency")
_Default bucket — everything else, 30 days¶
$ gcloud logging buckets describe _Default --location=global --project=train-cvit2
description: Default bucket
lifecycleState: ACTIVE
name: projects/train-cvit2/locations/global/buckets/_Default
retentionDays: 30
This receives application logs (the API server's request/error stream) and any GCP service log that isn't an audit log.
Data Access logs — off¶
Empty auditConfigs confirms no Data Access log types are turned on for any
GCP service. This is the GCP default and is a deliberate choice: enabling
DATA_READ on Cloud Storage or Secret Manager produces high-volume,
high-cost logs we don't currently need to retain.
Sinks — defaults only¶
$ gcloud logging sinks list --project=train-cvit2
NAME DESTINATION FILTER
_Required logging.googleapis.com/projects/train-cvit2/locations/global/buckets/_Required (audit log IDs above)
_Default logging.googleapis.com/projects/train-cvit2/locations/global/buckets/_Default (everything else)
No custom sinks export logs out of GCP. If/when an external SIEM is added, that becomes a third sink documented here.
How to query¶
Common investigative queries (run from the GCP console's Logs Explorer or via
gcloud logging read):
| Question | Filter |
|---|---|
| Who changed IAM policies in the last 30 days? | protoPayload.serviceName="iam.googleapis.com" AND protoPayload.methodName=~"SetIamPolicy" |
| Who accessed which Secret Manager secret? | protoPayload.serviceName="secretmanager.googleapis.com" AND protoPayload.methodName="google.cloud.secretmanager.v1.SecretManagerService.AccessSecretVersion" |
| Who started/stopped the VM? | resource.type="gce_instance" AND protoPayload.methodName=~"compute.instances.(start|stop|reset)" |
| Who deleted a firewall rule? | protoPayload.methodName="v1.compute.firewalls.delete" |
For _Required, the 400-day window means investigations going back over a
year are still possible.
Status¶
implemented — verified 2026-04-28.
Verification artifact: command output above, captured during plan step A0.5
(docs/security/HARDENING-LOG.md, 2026-04-28 entry).
Roadmap (not blocking)¶
- Data Access logs (selective): when the first customer requires
data-access auditing, enable
DATA_READ/DATA_WRITEon Secret Manager and Cloud Storage only — not project-wide. Track as a future hardening item. - External SIEM export: out of scope for SOC 2 Type I; revisit at Type II / ISO time.