GCP Audit Logs for Future archival / External Access

Say you have a requirement to make all your audit logs accessible to a group of auditors.

Cloud Logging comes with a solution for building and managing storage sinks.

To automate this solution, create an export sink for your audit logs --> Cloud Storage.

What roles do I need to create this export sink?

You have one of the following IAM roles for the source Cloud project from which you're routing logs.

  • Owner (roles/owner)
  • Logging Admin (roles/logging.admin)
  • Logs Configuration Writer (roles/logging.configWriter)

What if I want to make these logs accessible outside of GCP?

To make this storage content accessible to a select group of users, use a signed url.

Summary

GCP Audit logs can be easily made available to users outside the GCP environment, through a signed URL. The process can be automated using an export sink, that is built into Cloud Logging.