← Lessons

quiz vs the machine

Platinum1760

Security

The Cloud Audit Logging

How audit logs record every control plane action so you can investigate, detect, and prove what happened.

6 min read · advanced · beat Platinum to climb

A Record of Every Action

A cloud audit log records who did what, when, and from where across the control plane. Every API call to create, modify, or delete a resource leaves an entry. Without it, an investigation after an incident is blind.

What an Entry Captures

  • The identity that made the request.
  • The action taken and the resource affected.
  • The time and the source address.
  • Whether the request was allowed or denied.

Why It Is Essential

  • Investigation reconstructs an attacker timeline step by step.
  • Detection spots suspicious patterns, such as a key suddenly used from a new region.
  • Compliance proves controls operated as required.

Protecting the Logs

An attacker who can delete logs can hide their tracks. Strong practice keeps audit logs tamper resistant.

  • Centralize logs into a separate account the workload cannot edit.
  • Restrict who can read or delete them.
  • Alert on attempts to disable logging itself.

Key idea

Cloud audit logs capture the identity, action, resource, and result of every control plane request, and centralizing them in a tamper resistant store enables investigation, detection, and compliance.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a cloud audit log primarily record?

2. Why centralize audit logs into a separate account?

3. How do audit logs support detection?