GCP – Introducing audit-only mode for Access Transparency
As part of our commitment to cloud workload security and transparency, today, we’re introducing a new, lightweight audit-only mode for Access Approval to enable access approvals in an “on demand only” model. This new capability is available at no extra charge in the Security section of the Google Cloud Console.
Previously, Access Approval delivered robust security by ensuring all Google Cloud accesses were reviewed. While incredibly effective as a mitigation control, this comprehensive approach meant administrators frequently reviewed access to both sensitive and non-sensitive data, which could add administrative overhead. It also wasn’t specifically designed to easily enable audit log-powered reactive control strategies — a need we’ve heard from many customers. Our new audit-only mode builds on that strong foundation, offering the flexibility to tailor Access Approval to your specific product needs and security workflows.
The new Access Approval combines the benefits of Access Approval (access notifications, revocable Access Approval events, Cloud Console or API based user experience) with new functionality to run in audit mode and to limit approvals to specific products.
Additionally, workload administrators can easily switch Access Approval policies at any time to temporarily shift policy. For example, you can prevent any Google Cloud access without approval during a critical launch week.
- aside_block
- <ListValue: [StructValue([(‘title’, ‘$300 in free credit to try Google Cloud security products’), (‘body’, <wagtail.rich_text.RichText object at 0x3ebe34751610>), (‘btn_text’, ‘Start building for free’), (‘href’, ‘http://console.cloud.google.com/freetrial?redirectPath=/welcome’), (‘image’, None)])]>
Here’s how you can use it.
-
Detect a finding via analysis of an Access Transparency log (such as a write action).
-
Navigate to Access Approval.
-
Locate the event from the “approvalID” provided in the Access Transparency log.
-
Add Access Approvals by revoking access to the data associated with the access event.
-
Google will now require customer approval to access the resource in that access event going forward.
Our customers have said that adding an additional source of audit log data linked to mitigation workflows can be invaluable. For example, for organizations with strict change-management processes, enabling Access Approval in full is a suitable control for these workloads. For other organizations, Google Cloud’s Access Approval audit mode with access mitigation is part of a comprehensive disaster mitigation plan that is available on demand without interrupting general administrative workflows.
With the new audit-only mode policy in Access Approval, workload administrators can now add Access Approval to on-demand security mitigation plans — all without incurring additional operating burden on access events. With Access Approval, you hold the control options to limit Google Cloud’s administrative and support access to your data on-demand, when you choose to apply it.
To get started today with Access Approval’s “Transparency” audit mode, read our setup guide.
Read More for the details.