Data Access audit logs are enabled for Cloud Storage
cloudstorage_audit_logs_enabled
Data Access audit logs (DATA_READ and DATA_WRITE) are enabled for Cloud Storage at the project level. Unlike Admin Activity logs (enabled by default), Data Access logs must be explicitly configured to track read and write operations on Cloud Storage objects.
Risk
Without Data Access audit logs, you cannot track who accessed or modified objects in your Cloud Storage buckets, making it difficult to detect unauthorized access, data exfiltration, or compliance violations.
prowler gcp --checks cloudstorage_audit_logs_enabled
Recommendation
Enable Data Access audit logs (DATA_READ and DATA_WRITE) for Cloud Storage at the project level to track all read and write operations on storage objects for security monitoring and compliance.
Remediation
- Console → IAM & Admin → Audit Logs
- Find 'Google Cloud Storage' in the list of services
- Check the boxes for 'Data Read' and 'Data Write'
- Click 'Save' to apply the configuration
Note: This is a project-level setting that applies to all Cloud Storage buckets in the project.
Source Code
Resource Type
cloudresourcemanager.googleapis.com/Project