Data security with Log Analytics

This document describes Google Cloud features that can help prevent data exfiltration through phishing, insider attacks, or external entities when you are using Log Analytics. It also describes the two query engines available for Log Analytics and how the choice of query engine affects what data you can query.

Organization restrictions

You can use organization restrictions to restrict principals such that they only have access to resources in authorized Google Cloud organizations. Essentially, when you configure organization restrictions you are configuring an egress proxy. For example, you can use organization restrictions to prevent data stored by the organization from being combined with external data when you use Log Analytics.

To learn more, see Configure organization restrictions.

VPC Service Controls

VPC Service Controls helps protect against accidental or targeted action by external entities or insider entities, which helps to minimize unwarranted data exfiltration risks from Google Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify.

A VPC Service Controls perimeter is a security boundary around Google Cloud resources. It allows free communication within the perimeter but, by default, blocks communication to Google Cloud services across the perimeter. A perimeter doesn't block access to any third-party APIs or services on the internet.

Don't confuse a VPC Service Controls perimeter with a virtual private cloud network. A VPC Service Controls perimeter is a security boundary.

To learn more, see Set up a service perimeter.

Choose your Log Analytics query engine

Log Analytics lets you run your SQL queries on either the default Logging engine or on the BigQuery engine. This section describes the differences between these two options.

To set the query engine, on the Log Analytics page, use the settings Settings menu:

Go to Log Analytics

Run queries on the default query engine

The default query engine is managed by Google Cloud Observability. When you use this engine, you can query the following:

• Log views
• Analytics views

The following table summarizes how Cloud Logging uses Identity and Access Management (IAM) roles to control access to the data it stores:

Source queried by Log Analytics	Required IAM role(s) to read source data
_AllLogs view on the _Required log bucket	Logs Viewer (roles/logging.viewer) on the project that stores the _Required log bucket.
_AllLogs view on the _Default log bucket	Private Logs Viewer (roles/logging.privateLogViewer) on the project that stores the _Default log bucket.
_Default view on the _Default log bucket	Logs Viewer (roles/logging.viewer) on the project that stores the _Default log bucket.
Custom log views (on any log bucket)	For read access to all log views in a project: Logs View Accessor (roles/logging.viewAccessor) on the project. For read access to only a specific log view in a project, one of the following: Logs View Accessor (roles/logging.viewAccessor) on the project. However, include an IAM condition on the role that restricts the grant to a specific log view. A binding for your ID is included in the IAM policy for the log view.
Analytics views	All of the following: Observability Analytics User (roles/observability.analyticsUser) on the project. An IAM role that provides read-access to the log view that is queried by the analytics view.

To learn more about Logging roles, see Access control with IAM.

Run queries on the BigQuery engine

The BigQuery engine can run queries that include joins of a log view with other BigQuery tables. However, to use this engine, you must create a linked BigQuery dataset on the corresponding log bucket. A linked dataset is a read-only BigQuery dataset that serves as a pointer to a shared dataset.

If you create linked datasets for your log buckets, then you expand the security boundary of that data to include BigQuery services. That is, BigQuery services can now query your log data by issuing a query to a linked dataset.

If you set the query engine to be BigQuery, then the following are true:

• You can query log views when a linked BigQuery dataset exists for the associated log bucket. However, the Log Analytics service enhances queries that are sent to the BigQuery engine. For this reason, if you view BigQuery metadata, it might be different than expected.

• Before a query is run, your BigQuery IAM permissions are checked.

• Queries that you run on the BigQuery engine are subject to BigQuery pricing.

The following table summarizes how the BigQuery engine uses IAM to control access to the source data:

Source queried by Log Analytics	Required IAM role(s) to read source data
_AllLogs view on the _Required log bucket	All of the following: BigQuery Data Viewer (roles/bigquery.dataViewer) on the project or on the linked dataset for the _Required log bucket. An IAM role that includes the logging.links.list permission.
_AllLogs view on the _Default log bucket	All of the following: BigQuery Data Viewer (roles/bigquery.dataViewer) on the project or on the linked dataset for the _Default log bucket. An IAM role that includes the logging.links.list permission.
_Default view on the _Default log bucket	All of the following: BigQuery Data Viewer (roles/bigquery.dataViewer) on the project or on the linked dataset for the _Default log bucket. An IAM role that includes the logging.links.list permission.
Custom log views (on any log bucket)	All of the following: BigQuery Data Viewer (roles/bigquery.dataViewer) on the project or on the linked dataset for the log bucket. An IAM role that includes the logging.links.list permission.
Analytics views	Not supported.
Log view joined with a BigQuery table	All of the following: BigQuery Data Viewer (roles/bigquery.dataViewer) on the project or on the linked datasets for the log bucket and the other BigQuery table. An IAM role that includes the logging.links.list permission.

To learn about managing access to linked BigQuery datasets, see BigQuery Access Control.

What's next

• Save and share a SQL query.
• Sample SQL queries.
• Chart SQL query results.