Monitoring, logging, and alerting guidelines

Subscribe to the security bulletin notifications for Google Cloud products so that you are notified of vulnerabilities and mitigation measures.

Configure Essential Contacts to ensure that a monitored group alias or mailing list receive important notifications.

Using a monitored group email address helps ensure these time-sensitive alerts are delivered to an active team that can respond quickly.

Use the billing anomaly feature in Cloud Billing to track any spikes or deviations in expected spend.

A sudden, unexpected spike in a cloud bill is a primary indicator of a security compromise. Unexpected billing spikes are sometimes caused by attackers who have gained access and are using resources for unauthorized activities.

Enabling billing anomaly detection provides an essential early warning system so that you can automatically flag this suspicious activity.

By default, firewall rules don't automatically write logs.Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Logging is also useful if you want to determine how many connections are affected by a given firewall rule.

Enable logging for each firewall rule. You can configure logging using a pipeline that you use to create a firewall.

If using Cloud Identity, share audit logs from Cloud Identity to Google Cloud.

Admin Activity audit logs from Google Workspace or Cloud Identity are ordinarily managed and viewed in the Google Admin console, separately from your logs in your Google Cloud environment. These logs contain information that is relevant for your Google Cloud environment, such as user login events.

We recommend that you share Cloud Identity audit logs to your Google Cloud environment to centrally manage logs from all sources.

Standard logs show you what your organization's own users are doing, but Access Transparency logs show what Google support staff do when they access the account. This access typically only happens in response to a support request. Access Transparency logs provide a complete and verifiable audit trail of all access, which is essential for meeting strict compliance and data governance requirements.

You can enable Access Transparency at the organization level.

Create a log sink to export logs for your security monitoring solution and set the retention period to meet your requirements.

The default log retention periods are often not long enough to meet the 1-7 year requirements mandated by compliance regulations like PCI or HIPAA.

Creating a log sink to export logs to a long-term storage location is essential for meeting certain legal and regulatory obligations. Log sinks also let you send logs to a centralized security monitoring system for advanced threat detection.