Google Cloud Storage Audit Logs

Cloud & SaaSData Access & StorageGoogle CloudCloud StorageCloud Control PlaneSIEM / Log Aggregator

Location

Cloud Logging entries for storage.googleapis.com and bucket-level audit activity

Description

Bucket and object access audit records for Google Cloud Storage, including reads, writes, deletes, ACL changes, and bucket-configuration modifications when the relevant audit streams are enabled.

Forensic Value

Cloud Storage audit logs are critical for confirming what data was accessed or exfiltrated from GCS. They show the actor, bucket, object path, and operation type, enabling investigators to distinguish between permission changes and actual object access.

Tools Required

Google Cloud Consolegcloud CLILogs ExplorerSIEM

Collection Commands

gcloud CLI

gcloud logging read "resource.type="gcs_bucket" AND timestamp>="2026-03-01T00:00:00Z"" --format=json > gcs_audit_logs.json

Logs Explorer

Filter by resource.type="gcs_bucket" and methodName/object identifiers, then export evidence for the incident window

Collection Constraints

•High-value object-read visibility usually depends on Data Access audit logging being enabled before the incident.
•Audit logs record object access metadata, not a preserved copy of the object payload.

MITRE ATT&CK Techniques

T1530T1213.002T1567

References

Cloud Storage audit logging

Used in Procedures

Identify Data Staging and Compression Activity

analyze

Acquisition Methods

Google Cloud Logging Export

linux — cloud