Logging & Monitoring

TSC mapping: CC2 (Information Quality), CC4 (Monitoring Activities), CC7.1 (Vulnerability Detection), CC7.2 (Security Event Monitoring), CC7.3 (Incident Evaluation)

SOC 2 auditors look for three things: that logs exist, that they are tamper-protected, and that someone is actively watching them. All three must be evidenced.

1. Cloud Audit Logs — API Audit Trail

Cloud Audit Logs are the foundational audit record for all GCP API activity. Admin Activity logs are always on and cannot be disabled — they are the primary evidence source for CC2 and CC7.2.

There are four log types:

Log type	Enabled by default	What it captures
Admin Activity	Yes (always)	Resource configuration and metadata changes
Data Access	No (must enable)	API calls that read/write user data
System Event	Yes (always)	GCP system-driven resource changes
Policy Denied	Yes (always)	Requests denied by VPC Service Controls

Enable Data Access audit logs for sensitive services

# Enable Data Access logs for Secret Manager, Cloud Storage, BigQuery, and Cloud SQL at the org level
gcloud organizations get-iam-policy <org-id> --format=json > org-policy.json

# Add the following to org-policy.json under auditConfigs, then update:
gcloud organizations set-iam-policy <org-id> org-policy.json

{
  "auditConfigs": [
    {
      "service": "secretmanager.googleapis.com",
      "auditLogConfigs": [
        {"logType": "DATA_READ"},
        {"logType": "DATA_WRITE"},
        {"logType": "ADMIN_READ"}
      ]
    },
    {
      "service": "storage.googleapis.com",
      "auditLogConfigs": [
        {"logType": "DATA_READ"},
        {"logType": "DATA_WRITE"}
      ]
    },
    {
      "service": "bigquery.googleapis.com",
      "auditLogConfigs": [
        {"logType": "DATA_READ"},
        {"logType": "DATA_WRITE"},
        {"logType": "ADMIN_READ"}
      ]
    },
    {
      "service": "cloudsql.googleapis.com",
      "auditLogConfigs": [
        {"logType": "DATA_ACCESS"},
        {"logType": "ADMIN_READ"}
      ]
    }
  ]
}

Export all audit logs to a locked log bucket

# Create a centralised log bucket with a locked retention policy (1 year)
gcloud logging buckets create soc2-audit-logs \
  --project=<log-project-id> \
  --location=global \
  --retention-days=365 \
  --locked  # Prevents reducing retention — required for tamper protection

# Create an aggregated log sink at the organisation level
gcloud logging sinks create org-audit-sink \
  logging.googleapis.com/projects/<log-project-id>/locations/global/buckets/soc2-audit-logs \
  --organization=<org-id> \
  --include-children \
  --log-filter='logName=~"cloudaudit.googleapis.com"'

# Grant the sink's writer identity access to the destination bucket
SINK_IDENTITY=$(gcloud logging sinks describe org-audit-sink \
  --organization=<org-id> \
  --format="value(writerIdentity)")

gcloud projects add-iam-policy-binding <log-project-id> \
  --member="$SINK_IDENTITY" \
  --role="roles/logging.bucketWriter"

Reference: Cloud Audit Logs overview → · Aggregated log sinks →

2. Security Command Center (SCC) — Security Posture

Security Command Center is the centralised security and risk platform for GCP. Enable SCC Premium at the organization level to get continuous misconfiguration detection, vulnerability scanning, and threat detection.

# Enable Security Command Center at the organization level
gcloud services enable securitycenter.googleapis.com \
  --project=<project-id>

# List all active SCC findings for an organization
gcloud scc findings list <org-id> \
  --filter="state=ACTIVE AND severity=HIGH OR severity=CRITICAL" \
  --format="table(name,category,severity,resourceName,eventTime)"

# Mute a finding (with justification — document the reason)
gcloud scc findings update <finding-name> \
  --organization=<org-id> \
  --mute=MUTED

# List Security Health Analytics findings (misconfigurations)
gcloud scc findings list <org-id> \
  --source=<sha-source-id> \
  --filter="state=ACTIVE" \
  --format="table(category,resourceName,severity)"

SCC Premium services to enable:

Service	What it detects
Security Health Analytics	Misconfigurations (public buckets, open firewall ports, disabled audit logs)
Event Threat Detection	Brute force, cryptomining, data exfiltration, IAM anomalies
Container Threat Detection	Runtime attacks against GKE workloads
VM Threat Detection	Memory-resident malware on Compute Engine VMs
Web Security Scanner	OWASP Top 10 vulnerabilities on App Engine and GKE

Reference: Security Command Center → · SCC Premium →

3. VPC Flow Logs

VPC Flow Logs capture network traffic metadata (source/destination, port, protocol, bytes) for every VM interface. Required for CC7.2 (monitoring) evidence and SCC threat detection.

# Enable VPC Flow Logs on all subnets in a VPC
for subnet in $(gcloud compute networks subnets list \
  --network=prod-vpc \
  --project=<project-id> \
  --format="value(name,region)"); do
  name=$(echo $subnet | awk '{print $1}')
  region=$(echo $subnet | awk '{print $2}')
  gcloud compute networks subnets update $name \
    --region=$region \
    --enable-flow-logs \
    --logging-aggregation-interval=interval-5-sec \
    --logging-flow-sampling=1.0 \
    --logging-metadata=include-all \
    --project=<project-id>
  echo "Enabled flow logs for $name ($region)"
done

# Verify flow logs are enabled
gcloud compute networks subnets list \
  --project=<project-id> \
  --format="table(name,region,enableFlowLogs)"

Reference: VPC Flow Logs →

4. Cloud Monitoring — Alerting Policies

Configure alerting policies for the security events that SOC 2 auditors expect to be actively monitored.

# Create a notification channel (email)
gcloud beta monitoring channels create \
  --display-name="Security Alerts Email" \
  --type=email \
  --channel-labels=email_address=[email protected] \
  --project=<project-id>

CHANNEL_ID=$(gcloud beta monitoring channels list \
  --filter="displayName='Security Alerts Email'" \
  --format="value(name)" \
  --project=<project-id>)

# Alert: IAM policy change on any project
gcloud alpha monitoring policies create \
  --display-name="IAM Policy Change" \
  --condition-filter='resource.type="audited_resource" AND protoPayload.methodName=~"SetIamPolicy"' \
  --condition-display-name="IAM SetIamPolicy called" \
  --notification-channels=$CHANNEL_ID \
  --project=<project-id>

Log-based metric + alert for critical events (using log sinks):

# Create a log-based metric for project ownership changes
gcloud logging metrics create iam-owner-changes \
  --description="Tracks assignment of Owner role" \
  --log-filter='protoPayload.serviceName="cloudresourcemanager.googleapis.com" AND
    ProjectOwnership OR projectOwnerInvitee OR
    protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND
    protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner"' \
  --project=<project-id>

Required alerts for SOC 2:

Alert	Log filter keyword
Project ownership / Owner role changes	`SetIamPolicy` + `roles/owner`
Audit log configuration changes	`UpdateSink` · `DeleteSink`
VPC firewall rule changes	`compute.firewalls.insert` · `compute.firewalls.delete`
Cloud Storage public access granted	`storage.setIamPolicy` + `allUsers`
Secret Manager access spikes	`secretmanager.versions.access` — rate threshold
SCC HIGH/CRITICAL findings	SCC notification feed via Pub/Sub
Failed login attempts	Cloud Identity sign-in audit logs
Service account key creation	`google.iam.admin.v1.CreateServiceAccountKey`

Reference: Cloud Monitoring alerting → · Log-based metrics →

5. Event Threat Detection

Event Threat Detection (ETD) is a built-in SCC Premium service that continuously analyses Cloud Audit Logs and VPC Flow Logs for over 40 threat indicators.

# List ETD findings
gcloud scc findings list <org-id> \
  --filter="state=ACTIVE AND sourceProperties.detector_name:ETD" \
  --format="table(category,severity,resourceName,eventTime)"

Key detectors:

Detector	What it flags
`ACCOUNT_LOCKOUT`	Multiple failed authentication attempts
`CRYPTOMINING`	Compute Engine VMs with mining pool connections
`DATA_EXFILTRATION`	Unusual large Cloud Storage reads or BigQuery exports
`OUTGOING_DOS`	VMs participating in denial-of-service attacks
`PRIVILEGED_ACCESS`	Unusual use of sensitive IAM roles
`MALWARE_BAD_IP`	Connections to known malicious IPs

Reference: Event Threat Detection →

SOC 2 Evidence for Logging & Monitoring

Evidence item	How to collect
Audit log sink configuration	`gcloud logging sinks list --organization=<org-id>`
Log bucket retention and lock status	`gcloud logging buckets list --project=<log-project-id>`
Data Access log configuration	`gcloud organizations get-iam-policy <org-id> --format=json` → `auditConfigs` section
SCC findings list (past 90 days)	`gcloud scc findings list <org-id> --filter="state=ACTIVE"`
VPC Flow Logs subnet config	`gcloud compute networks subnets list --format="table(name,enableFlowLogs)"`
Cloud Monitoring alert policies	`gcloud alpha monitoring policies list`
ETD finding history	GCP Console → Security Command Center → Findings → Source: ETD

1. Cloud Audit Logs — API Audit Trail​

Enable Data Access audit logs for sensitive services​

Export all audit logs to a locked log bucket​

2. Security Command Center (SCC) — Security Posture​

3. VPC Flow Logs​

4. Cloud Monitoring — Alerting Policies​

5. Event Threat Detection​

SOC 2 Evidence for Logging & Monitoring​