Audit Logging and Retention Gaps

Description

Disabling Admin or Data Access logs, not exporting logs centrally, or using short retention windows reduces forensic visibility and detection capability. Missing audit logs for critical services (IAM, Storage, BigQuery, KMS) and lack of immutable exports make investigations difficult.

Examples

Check Logging Sinks and Settings

gcloud logging sinks list
gcloud logging settings describe
gcloud logging buckets list --location=global
gcloud logging buckets describe _Required --location=global
gcloud logging sinks create org-bq-sink bigquery.googleapis.com/projects/<proj>/datasets/<ds> \
  --include-children --organization=<org>

Remediation

Enable Admin and Data Access logs for critical services (IAM, KMS, Storage, BigQuery, Compute).
Export logs to BigQuery/Cloud Storage with long retention; protect export destinations with org policy/ACLs.
Monitor for changes to logging configuration and sinks; enforce minimum retention on logging buckets.

Haxoris Wiki

Audit Logging and Retention Gaps

Description

Examples

Check Logging Sinks and Settings

Remediation