Stay organized with collectionsSave and categorize content based on your preferences.
This page describes how to enroll an organization, a folder, or a project as a
resource for auditing in Audit Manager.
Enrollment accomplishes the following tasks:
AGoogle-managed service agentassociated with Audit Manager is created, which monitors the
specified resource on your behalf. The service agent's email address uses the
following format, whereRESOURCE_IDis the organization ID, folder ID,
or project ID.
Revoking this service agent's roles can cause Audit Manager to stop
auditing the resource.
The specified Cloud Storage buckets are configured as the destination
to store the audit data.
When you enroll a resource, its child resources are also enrolled. For example,
if you enroll an organization, any projects within that organization are also enrolled.
If a parent resource is already enrolled and you attempt to enroll
one of its child resources, then the child resource is enrolled independently.
Before you begin
Ensure that you have the following IAM roles and permissions:
You should receive a successful status code (2xx) and an empty response.
If you want to change the storage location for audit data after enrollment,
you need to update enrollment of your resource and specify the new storage
locations. The previous enrollment and storage locations are overwritten by
the new request.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis page details the process of enrolling an organization, folder, or project in Audit Manager to enable auditing.\u003c/p\u003e\n"],["\u003cp\u003eEnrolling a resource creates a Google-managed service agent that monitors the resource and configures designated Cloud Storage buckets for storing audit data.\u003c/p\u003e\n"],["\u003cp\u003eEnrolling a parent resource automatically enrolls its child resources, while attempting to enroll an already enrolled child resource will cause it to be independently enrolled.\u003c/p\u003e\n"],["\u003cp\u003eYou can enroll a resource through the Google Cloud console, the Audit Manager API, or the Google Cloud CLI, and the process requires specific IAM roles and permissions, as well as a designated Cloud Storage bucket.\u003c/p\u003e\n"],["\u003cp\u003eIf you need to change the storage location for audit data after enrolling, you can update your resource enrollment with the new storage locations.\u003c/p\u003e\n"]]],[],null,["# Enroll a resource for auditing\n\nThis page describes how to enroll an organization, a folder, or a project as a\nresource for auditing in Audit Manager.\n\nEnrollment accomplishes the following tasks:\n\n- A [Google-managed service agent](/iam/docs/service-account-types#service-agents)\n associated with Audit Manager is created, which monitors the\n specified resource on your behalf. The service agent's email address uses the\n following format, where \u003cvar translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e is the organization ID, folder ID,\n or project ID.\n\n \u003cvar translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e@gcp-sa-audit-manager.iam.gserviceaccount.com\n\n Revoking this service agent's roles can cause Audit Manager to stop\n auditing the resource.\n- The specified Cloud Storage buckets are configured as the destination\n to store the audit data.\n\nWhen you enroll a resource, its child resources are also enrolled. For example,\nif you enroll an organization, any projects within that organization are also enrolled.\nIf a parent resource is already enrolled and you attempt to enroll\none of its child resources, then the child resource is enrolled independently.\n\nBefore you begin\n----------------\n\n- Ensure that you have the following IAM roles and permissions:\n\n - [Audit Manager Admin](/iam/docs/understanding-roles#auditmanager.admin) (`roles/auditmanager.admin`).\n - [Storage Admin](/iam/docs/understanding-roles#storage.admin)(`roles/storage.admin`) or [Storage Legacy Bucket Owner](/iam/docs/understanding-roles#storage.legacyBucketOwner) (`roles/storage.legacyBucketOwner`)\n- To enroll an organization or a folder, you must have the following additional permissions:\n\n - Organization: `resourcemanager.organizations.setIamPolicy`\n - Folder: `resourcemanager.folders.setIamPolicy`\n- Identify or create Cloud Storage buckets where the\n audit data needs to be exported.\n\n To learn about how to create Cloud Storage buckets,\n see [Create a bucket](/storage/docs/discover-object-storage-console#create_a_bucket).\n\nEnroll a resource for auditing\n------------------------------\n\nYou can enroll an organization, a folder, or a project for auditing in\nAudit Manager.\n\nThe simplest way to enroll a resource is through the Google Cloud console.\nAlternatively, you can use the Audit Manager API or the Google Cloud CLI. \n\n### Console\n\n1. In the Google Cloud console, go to the **Audit Manager** page.\n\n [Go to Audit Manager](https://console.cloud.google.com/compliance/auditmanager)\n2. Click settings**Settings**.\n\n Depending on the resource you have\n selected in the project selector, a list of folders\n or projects are displayed on the **Settings** page.\n3. On the **Settings** page, select the resource that you want to enroll\n for Audit Manager, click\n settings**Enroll** in the\n **Status** column.\n\n4. In the **Select storage bucket details** dialog, select one or more\n Cloud Storage buckets where you want to save your reports and\n evidence, and click **Enroll**.\n\n Your resource is now enrolled for auditing.\n\n### gcloud\n\n\nBefore using any of the command data below,\nmake the following replacements:\n\n- \u003cvar class=\"edit\" scope=\"RESOURCE_TYPE\" translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: The type of resource. Possible values are `organization`, `folder`, and `project`.\n- \u003cvar class=\"edit\" scope=\"RESOURCE_ID\" translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e: The resource ID of the organization, folder, or project. For example: `8767234`.\n- \u003cvar class=\"edit\" scope=\"BUCKET_URI\" translate=\"no\"\u003eBUCKET_URI\u003c/var\u003e: The URI of the Cloud Storage bucket. For example: `gs://testbucketauditmanager`.\n\n\nExecute the\n\nfollowing\n\ncommand:\n\n#### Linux, macOS, or Cloud Shell\n\n**Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n```bash\ngcloud audit-manager enrollments add \\\n--RESOURCE_TYPE=RESOURCE_ID \\\n--eligible-gcs-buckets=BUCKET_URI\n```\n\n#### Windows (PowerShell)\n\n**Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n```bash\ngcloud audit-manager enrollments add `\n--RESOURCE_TYPE=RESOURCE_ID `\n--eligible-gcs-buckets=BUCKET_URI\n```\n\n#### Windows (cmd.exe)\n\n**Note:** Ensure you have initialized the Google Cloud CLI with authentication and a project by running either [gcloud init](/sdk/gcloud/reference/init); or [gcloud auth login](/sdk/gcloud/reference/auth/login) and [gcloud config set project](/sdk/gcloud/reference/config/set). \n\n```bash\ngcloud audit-manager enrollments add ^\n--RESOURCE_TYPE=RESOURCE_ID ^\n--eligible-gcs-buckets=BUCKET_URI\n```\n\n\u003cbr /\u003e\n\n### REST\n\n\nBefore using any of the request data,\nmake the following replacements:\n\n- \u003cvar class=\"edit\" scope=\"RESOURCE_TYPE\" translate=\"no\"\u003eRESOURCE_TYPE\u003c/var\u003e: The type of resource. Possible values are `organization`, `folder`, and `project`.\n- \u003cvar class=\"edit\" scope=\"RESOURCE_ID\" translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e: The resource ID of the organization, folder, or project. For example: `8767234`.\n- \u003cvar class=\"edit\" scope=\"BUCKET_URI\" translate=\"no\"\u003eBUCKET_URI\u003c/var\u003e: The URI of the Cloud Storage bucket. For example: `gs://testbucketauditmanager`.\n\n\nHTTP method and URL:\n\n```\nPOST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource\n```\n\n\nRequest JSON body:\n\n```\n\n{\n \"destinations\" : [\n {\n \"eligible_gcs_buckets\" : \"BUCKET_URI\"\n }\n ]\n}\n\n```\n\nTo send your request, choose one of these options: \n\n#### curl\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) , or by using [Cloud Shell](/shell/docs), which automatically logs you into the `gcloud` CLI . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nSave the request body in a file named `request.json`,\nand execute the following command:\n\n```\ncurl -X POST \\\n -H \"Authorization: Bearer $(gcloud auth print-access-token)\" \\\n -H \"Content-Type: application/json; charset=utf-8\" \\\n -d @request.json \\\n \"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource\"\n```\n\n#### PowerShell\n\n| **Note:** The following command assumes that you have logged in to the `gcloud` CLI with your user account by running [`gcloud init`](/sdk/gcloud/reference/init) or [`gcloud auth login`](/sdk/gcloud/reference/auth/login) . You can check the currently active account by running [`gcloud auth list`](/sdk/gcloud/reference/auth/list).\n\n\nSave the request body in a file named `request.json`,\nand execute the following command:\n\n```\n$cred = gcloud auth print-access-token\n$headers = @{ \"Authorization\" = \"Bearer $cred\" }\n\nInvoke-WebRequest `\n -Method POST `\n -Headers $headers `\n -ContentType: \"application/json; charset=utf-8\" `\n -InFile request.json `\n -Uri \"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/:enrollResource\" | Select-Object -Expand Content\n```\n\nYou should receive a successful status code (2xx) and an empty response.\n\n\u003cbr /\u003e\n\n| **Note:** If you experience issues when enrolling a resource, see [Troubleshoot enrollment issues](/audit-manager/docs/troubleshoot-enrollment-issues).\n\nIf you want to change the storage location for audit data after enrollment,\nyou need to update enrollment of your resource and specify the new storage\nlocations. The previous enrollment and storage locations are overwritten by\nthe new request.\n\nWhat's next\n-----------\n\n- [Create a custom compliance framework](/audit-manager/docs/create-framework).\n- [Run an audit](/audit-manager/docs/run-audit)."]]
