This document describes Google Cloud features that can help prevent data exfiltration through phishing, insider attacks, or external entities when you are using Log Analytics. It also describes the two query engines available for Log Analytics and how the choice of query engine affects what data you can query.
Organization restrictions
You can use organization restrictions to restrict principals such that they only have access to resources in authorized Google Cloud organizations. Essentially, when you configure organization restrictions you are configuring an egress proxy. For example, you can use organization restrictions to prevent data stored by the organization from being combined with external data when you use Log Analytics.
To learn more, see Configure organization restrictions .
VPC Service Controls
VPC Service Controls helps protect against accidental or targeted action by external entities or insider entities, which helps to minimize unwarranted data exfiltration risks from Google Cloud services such as Cloud Storage and BigQuery. You can use VPC Service Controls to create perimeters that protect the resources and data of services that you explicitly specify.
A VPC Service Controls perimeter is a security boundary around Google Cloud resources. It allows free communication within the perimeter but, by default, blocks communication to Google Cloud services across the perimeter. A perimeter doesn't block access to any third-party APIs or services on the internet.
Don't confuse a VPC Service Controls perimeter with a virtual private cloud network . A VPC Service Controls perimeter is a security boundary.
To learn more, see Set up a service perimeter .
Choose your Log Analytics query engine
Log Analytics lets you run your SQL queries on either the default Logging engine or on the BigQuery engine. This section describes the differences between these two options.
To set the query engine, on the Log Analytics page, use the settings Settingsmenu:
Run queries on the default query engine
The default query engine is managed by Google Cloud Observability. When you use this engine, you can query the following:
The following table summarizes how Cloud Logging uses Identity and Access Management (IAM) roles to control access to the data it stores:
_AllLogs
viewon the
_Required
log bucket_AllLogs
viewon the
_Default
log bucketroles/logging.privateLogViewer
)
on the project that stores the
_Default
log bucket._Default
viewon the
_Default
log bucket(on any log bucket)
For read access to all log views in a project:
Logs View Accessor ( roles/logging.viewAccessor
)
on the project.
For read access to only a specific log view in a project, one of the following:
- Logs View Accessor (
roles/logging.viewAccessor)
on the project. However, include an IAM condition on the role that restricts the grant to a specific log view. - A binding for your ID is included in the IAM policy for the log view.
All of the following:
- Observability Analytics User (
roles/observability.analyticsUser)
on the project. - An IAM role that provides read-access to the log view that is queried by the analytics view.
To learn more about Logging roles, see Access control with IAM .
Run queries on the BigQuery engine
The BigQuery engine can run queries that include joins of a log view with other BigQuery tables. However, to use this engine, you must create a linked BigQuery dataset on the corresponding log bucket . A linked dataset is a read-only BigQuery dataset that serves as a pointer to a shared dataset.
If you create linked datasets for your log buckets, then you expand the security boundary of that data to include BigQuery services. That is, BigQuery services can now query your log data by issuing a query to a linked dataset.
If you set the query engine to be BigQuery, then the following are true:
-
You can query log views when a linked BigQuery dataset exists for the associated log bucket. However, the Log Analytics service enhances queries that are sent to the BigQuery engine. For this reason, if you view BigQuery metadata, it might be different than expected.
-
Before a query is run, your BigQuery IAM permissions are checked.
-
Queries that you run on the BigQuery engine are subject to BigQuery pricing.
The following table summarizes how the BigQuery engine uses IAM to control access to the source data:
_AllLogs
viewon the
_Required
log bucketAll of the following:
- BigQuery Data Viewer (
roles/bigquery.dataViewer)
on the project or on the linked dataset for the_Requiredlog bucket. - An IAM role that includes the
logging.links.listpermission.
_AllLogs
viewon the
_Default
log bucketAll of the following:
- BigQuery Data Viewer (
roles/bigquery.dataViewer)
on the project or on the linked dataset for the_Defaultlog bucket. - An IAM role that includes the
logging.links.listpermission.
_Default
viewon the
_Default
log bucketAll of the following:
- BigQuery Data Viewer (
roles/bigquery.dataViewer)
on the project or on the linked dataset for the_Defaultlog bucket. - An IAM role that includes the
logging.links.listpermission.
(on any log bucket)
All of the following:
- BigQuery Data Viewer (
roles/bigquery.dataViewer)
on the project or on the linked dataset for the log bucket. - An IAM role that includes the
logging.links.listpermission.
a BigQuery table
All of the following:
- BigQuery Data Viewer (
roles/bigquery.dataViewer)
on the project or on the linked datasets for the log bucket and the other BigQuery table. - An IAM role that includes the
logging.links.listpermission.
To learn about managing access to linked BigQuery datasets, see BigQuery Access Control .
