When an audit is completed, Audit Manager creates and stores audit artifacts in the destination storage buckets for you to view:
- Audit summary report
- Control overview report
- Evidence
The new console experience (Preview) includes a different format for the reports. For more information, see View Audit Manager reports (new experience).
Before you begin
Ensure that you have the following IAM roles:
One of the following Audit Manager roles for the resource:
- Audit Manager Admin (
roles/auditmanager.admin) - Audit Manager Auditor (
roles/auditmanager.auditor) - Compliance Manager
Viewer
(
roles/cloudsecuritycompliance.viewer) (required if you're auditing a framework that you've created using Compliance Manager)
- Audit Manager Admin (
One of the following Cloud Storage roles for the storage bucket that contains Audit Manager reports:
- Storage Admin (
roles/storage.admin) - Storage Legacy Bucket Owner (
roles/storage.legacyBucketOwner) - Storage Legacy Object Reader (
roles/storage.legacyObjectReader)
- Storage Admin (
View Audit Manager reports (classic experience)
In the Google Cloud console, go to the Audit Manager page.
In the Compliance audits section, click View audits.
On the View assessments page, you can view the status of an in-progress audit or a completed audit from Audit Manager or Compliance Manager.
Depending on the type of audit information you want to view, follow the instructions in the corresponding tab.
Audit summary report
- To view the audit summary, click the link in the Status column.
The Basic information page displays the information about compliance controls in scope and the status of the automated compliance:
- Compliant: Shows the configurations that meet all the requirements.
- Violations: Shows the misconfigurations that are detected against a given control.
- Manual review needed: Shows the configurations that need user inputs to prove compliance and process control.
- Skipped: Shows the configurations that Audit Manager skipped for a given control.
- To see the details of a status, click View.
- To export the audit summary report, click Export. The audit summary report is exported in the ODS format.
Control overview report
You can use the Basic information page to view the control overview report based on a control or status.
- To view the control overview report based on a control, do the following:
- Expand the required control.
- To view the detailed compliance assessment against each rule, click the corresponding hyperlink. The controls page shows the responsibility, findings, and requirements.
- To view the control report based on a status, do the following:
- For the required status, click View.
- From the list of controls, click the required hyperlink. The controls page shows the responsibility, findings, and requirements.
To export the control overview report, click Export.In the Bucket details page, click the control name and click Download. The control overview report is exported in the ODS format.
Evidence
To view the evidence for a finding, click the corresponding hyperlink in the controls page. The Object details page with the evidence details opens in a separate tab.
To download the evidence, click Download. The evidence is downloaded in the JSON format.
- To view the audit summary, click the link in the Status column.
Alternatively, you can download the required report and evidence directly from the destination storage bucket. For detailed instructions, see Download an object from a bucket.
Audit summary report
An audit summary report is a comprehensive report that provides a high-level overview of all compliance controls and a responsibilities matrix to help you understand the system.
In the destination storage bucket, the audit summary report uses the following naming convention:
audit-reports/audit_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID/overall_report.ods
The placeholder values are described as follows:
- FRAMEWORK_NAME: The name of the framework, such
as
SOC2 2017. - TIMESTAMP: A timestamp when the report was generated.
- UNIQUE_ID: A unique ID for the report.
For each applicable control type, the following fields are populated in the audit summary report:
| Control type | Description |
|---|---|
| Control Info | A description and requirement for the control. |
| Google Responsibility | Google Cloud responsibility and implementation details. |
| Customer Responsibility | Customer responsibility and implementation details. |
| Assessment Status | Status of compliance for the control. Status can be one of the
following types:
|
| Control Report Link | A link to the control overview report. |
Control overview report
A control overview report contains a detailed description of the compliance evaluation for a single control. It provides assessment details for each compliance check with observations and expected values.
In the destination storage bucket, the control overview report uses the following naming convention:
audit-reports/audit_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID/CONTROL_ID.ods
The placeholder values are described as follows:
- FRAMEWORK_NAME: The name of the framework, such as
CIS_CONTROLS_V8. - TIMESTAMP: A timestamp when the report was generated.
- UNIQUE_ID: A unique ID for the report.
- CONTROL_ID: The ID for the control.
A control overview report looks similar to the following example:
| Control ID: COMPLIANT | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Service name | # of resources | Status | Resource Evaluation Details | ||||||||
| Resource ID | Measured Field | Current Value | Expected Value | Status | Evidence Resource URI | Evidence Timestamp | Evidence for Project/Folder | Evidence Link | |||
| Total services in scope for this control | Total resources in audit scope | Compliance status | Resource identifier | Configuration to be measured for audit | Observed values | Compliant values | Individual compliance status | Timestamp when evidence was collected | |||
| product1.googleapis.com | 2 | COMPLIANT | Resource 1 | abc | 10 | >=10 | COMPLIANT | Resource 1 | 12/05/2023 12:55:16 | Project 1 | Link 1 |
| def | 15 | =15 | COMPLIANT | Resource 4 | 12/05/2023 13:55:16 | Project 1 | Link 4 | ||||
| Resource 2 | xyz | 20 | =20 | COMPLIANT | Resource 2 | 12/05/2023 14:55:16 | Project 1 | Link 2 | |||
| product2.googleapis.com | 1 | COMPLIANT | Resource 3 | def | 5 | >=5 | COMPLIANT | Resource 3 | 12/05/2023 15:55:16 | Project 1 | Link 3 |
Evidence
Evidence includes all the resources evaluated for each control, including a raw dump of asset data along with the command that was run to produce the output.
In the destination storage bucket, evidence uses the following naming convention:
audit-reports/audit_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID/evidences/evidenceEVIDENCE_ID.json
The placeholder values are described as follows:
- FRAMEWORK_NAME: The name of the framework, such as
CIS_CONTROLS_V8. - TIMESTAMP: A timestamp when the report was generated.
- UNIQUE_ID: A unique ID for the report.
- EVIDENCE_ID: A unique ID for the evidence.
View Audit Manager reports (new experience)
In the new console experience, you can view your compliance score for controls, cloud controls, and Google Cloud resources in the Audit report pages in the Google Cloud console.
In the Google Cloud console, go to the Audit Manager page.
In the Compliance audits section, click View audits.
Click Switch to new experience.
On the View audits page, you can view the status of an in-progress audit or a completed audit from Audit Manager or Compliance Manager.
For more information about an audit, click the audit name.
The Audit report dashboard includes separate tabs for controls, cloud controls, and resources, each with their own unique counts and diagrams. The Audit report dashboard shows your compliance score. Each tab's dashboard includes the following:
Compliance summary: The percentage is determined as follows:
(Number of evaluated items that compliance / Total number of items) * 100An item can be a control, a cloud control, or a resource. The total number of items includes all the items that are in compliance, in violation, and weren't evaluated (skipped).
Total: The total number of controls or cloud controls in the framework, or the total number of resources that were evaluated.
Compliant: The number of items that met the evaluation requirements.
Violations: The number of items that didn't meet the evaluation requirements.
Inconclusive: The number of items that Audit Manager couldn't determine whether they were in compliance. For example, the configuration or log data that was retrieved didn't clearly match the compliance rules.
Skipped: The number of items that Audit Manager couldn't evaluate because of an error or system issue that was encountered during the assessment. For example, there were insufficient permissions to inspect a specific resource.
Not supported: The number of items that Audit Manager couldn't inspect because they require the evaluation of resources that are outside of Google Cloud.
Evidence collected: The amount of information that was extracted through the technical assessment of the items.
Violating evaluations: The number of rules or resources that Audit Manager assessed as failing.
To download the audit report from the Cloud Storage bucket as an OpenDocument Spreadsheet (ODS), click Download report.
Alternatively, you can download the required report and evidence directly from the destination storage bucket. For the detailed instructions, see Download an object from a bucket.
To view more information about an item's status, click View beside the status. The filtered view shows the applicable control, cloud control, or resource.
In the Control tab, the view is grouped by controls. To see the controls and cloud controls that are grouped within a control, expand the filter.
In the Cloud control tab, the view is grouped by cloud controls.
In the Resources tab, the view is grouped by service API name (for example,
cloudresourcemanager.googleapis.com). To see the applicable resources within a service, expand the filter.
To view a detailed summary about a particular item, click the item in the filtered view. Depending on the tab that you're on, the following information is displayed:
Control report
The Control report page shows the following:
- The control ID and family.
- The shared responsibility status.
- The review status.
- The evaluation status.
- The amount of evidence that was collected during the audit.
- A summary of the evaluation that's generated by Gemini.
- Information about the cloud controls that are part of the control, including the number of cloud controls that are passing and evidence summary.
- A filtered view that provides links to cloud control reports and shared responsibility information.
Cloud control report
The Cloud control report page shows the following:
- The cloud control name and ID.
- The review status.
- The controls (referred to as regulatory controls) that the cloud control belongs to.
- The evaluation status.
- A summary of the evaluation that's generated by Gemini.
- The amount of evidence that was collected during the audit.
- Information about the cloud controls that are part of the control, including the number of evaluations, violations, and evidence.
- A filtered view that provides links to observation summaries and applicable resource reports.
Resource report
The Resource report page shows the following:
- The applicable resource and service.
- The controls (referred to as regulatory controls) and cloud controls that were used to evaluate the resource.
- The evaluation status.
- A summary of the evaluation that's generated by Gemini.
- Observations that were found during the audit, which include the number of evaluations, violations, and evidence.
- A filtered view that provides links to observation summaries and cloud control reports.
Reports in Cloud Storage
The Audit Manager audit reports are available in folders within Cloud Storage storage buckets that use the following convention:
audit-reports/audit_RESOURCE_NAME_FRAMEWORK_NAME_TIMESTAMP/UNIQUE_ID
The placeholder values are described as follows:
- RESOURCE_NAME: The ID of the folder or project, such as
folders_12345orprojects_12345. - FRAMEWORK_NAME: The name of the framework, such as
builtin-nist800-53-revision5. - TIMESTAMP: A timestamp when the report was generated.
- UNIQUE_ID: A unique ID for the report.
Each audit folder includes separate reports available for each control, cloud control, and evidence. Control and cloud control reports are in ODS format and contain detailed descriptions of the compliance evaluation for a single control. These reports provide assessment details for each compliance check with observations and expected values. Evidence reports are in JSON format and include all the resources evaluated for each control, including a raw dump of asset data along with the command that was run to produce the output.