Logging & Monitoring on Google Cloud Storage Buckets

You want to keep a check on all the activities happening on a Google Cloud Storage, also known as GCS bucket, and are not sure how to go around it… you have hit the right page!

This article will help you understand more about how Google Cloud’s operations suite (formerly known as Stackdriver) which is the one stop solution for logging, monitoring, & alerting using its various features.

Before we get to the solution, let’s understand auditing.

Auditing in the context of cloud, essentially refers to monitoring the activities to understand — “who did what, where, and when?"

Google Cloud services write Audit logs that record administrative activities and accesses within your Google Cloud resources. Enabling audit logs helps your security, auditing, and compliance entities monitor Google Cloud data and systems for possible vulnerabilities or external data misuse, thus it is recommended to always enable audit logging.

In Google Cloud, Cloud Audit Logs provides the following logs for each Cloud project, folder, and organization:

• Admin Activity audit logs
• Data Access audit logs
• System Event audit logs
• Policy Denied audit logs

Now let’s go through the steps of creating a log based alerting in Cloud Monitoring.

Step I :

In the Cloud Console, you can use the Logs Explorer to retrieve your audit log entries at your Cloud project, folder, or organization level :

1. In the Cloud Console, go to the Logging > Logs Explorer page.
2. Go to Logs Explorer

Note: If you’re using the Legacy Logs Viewer page, switch to the Logs Explorer page.

3. On the Logs Explorer page, select an existing Cloud project, folder, or organization.

4. In the Query builder pane, In Resource type, select the Google Cloud resource whose audit logs you want to see.

In our article , we will be creating an alerting mechanism for GCS bucket events, & this our Query will have the below Parameters:

resource.type="gcs_bucket"
resource.labels.project_id="XXXXX"
protoPayload.methodName="storage.objects.delete"

Note : Here, I want to filter all “Delete object” APIs from the Audit logs.

Step II : Add a notification channel

Before adding an alert, we need to create a notification channel. Notification channels describe who is to be notified when action is required. You can include multiple notification channels in an alerting policy. Supported channels ranging from Cloud Console Mobile App, PagerDuty, Webhooks, Emails, SMS, Pub/Sub and Slack. In this example, lets create an Email based notification channel.

To create a notification channel by using the Cloud Console, follow these steps:

1. In the Cloud Console, use the project picker to select your Google Cloud project, and then select Monitoring, or click link Go to Monitoring
2. In the Monitoring navigation pane, click notifications Alerting.
3. Click Edit notification channels.
4. To add a new notification channel, locate the channel type, click Add new.

Added an Email Notification channel called ‘MyEmail’

Step III : Create Log-based alert Policy

On the Logs Explorer console, hit ‘Create Alert’.

Fill in the essential fields as required. I have set the notification interval as 1 hour & set the notification channel as ‘MyEmail’ which was created in the previous step.

With this, we have successfully configured an alert notifications on activities happening in the Google Cloud Storage bucket. In case you have tried this out in your Google accounts for demo purpose, don’t forget to delete the resources at the end of your trial!