Examtopics

Logs are stored to Cloud Storage in the originating project. By default, project owners and editors have ownership permissions for all Cloud Storage buckets in the project and objects under the bucket's hierarchical permissions model. To minimize the risk of inadvertent or malicious changes to your logs, apply the following principles.

Least privilege - Grant the least-broad permissions that are required to do the job. Restrict the usage of owner role for projects and log-buckets.

Non-repudiation - Cloud Storage automatically encrypts all data before it is written to disk. [Since the logs are automatically encrypted, it's not necessary to use Cloud KMS to encrypt them.] You can provide some additional assurance of non-repudiation by implementing object versioning on the log-buckets. When an object is overwritten or deleted in a bucket, a copy of the object is automatically saved with generation properties that identify it. Unfortunately, this feature can't protect against a project owner deleting the archived object or disabling the versioning.

Separation of duties - You can provide some additional assurance of separation of duties. For example, you might require two people to inspect and sign off on the logs. You can copy the log-buckets to a project that has a different owner by using gsutil cp as part of a frequent cron job, or if the amount of data copied will be greater than 10TB of log data at a time, by using the Cloud Storage Transfer Service. This approach can't protect against a project owner who deletes the original bucket before the copy occurs or who disables the original logging. Reference: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations#prevent_unwanted_changes_to_logs