These are quick notes about the types of logs and what they record on the GCP platform.

Network Specific Logs

VPC Flow Logs, Firewall Logs -> These should be obvious. These are not turned on by default.

Admin Activity Logs and Data Access (per service) Logs

Admin Activity Logs (Create Update and Delete activity) - Creation of new VMs, Modify IAM permissions (including service account permissions)

Most importantly, these logs record when users modify Identity and Access Management permissions.

Data Access Audit Logs (Read Calls to the API)

Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.

Org Level Security policies can be defined using VPC Service Controls.

Policy Denied audit logs are recorded when a Google Cloud service denies access to a user or service account because of a security policy violation.

How to get to the logs (from the console)

Audit Logs (Service Specific) - From Cloud Logging, Filter on Resource type, select the Google Cloud resource whose audit logs you want to see. In Log name, select the audit log type that you want to see.