Create a project-level log sink that exports admin activity and data access logs into BigQuery, then query for IAM changes and prove the dataset is locked down to the security team.
#observability#data#iam
LabAuditSprout, a compliance dashboard that can explain every customer's risk score except who changed IAM last Tuesday, which is inconvenient because last Tuesday is currently on fire.all labs
02 - Actions
score -- - -- votes
-- completed
Sign in with a real account to save ratings, completions, and share snapshots.
Stateloading
03 - Scenario
AuditSprout, a compliance dashboard that can explain every customer's risk score except who changed IAM last Tuesday, which is inconvenient because last Tuesday is currently on fire.
Create a project-level log sink that exports admin activity and data access logs into BigQuery, then query for IAM changes and prove the dataset is locked down to the security team.
Constraints
Log sink filter captures IAM changes without dumping every debug log in the project
BigQuery dataset is protected from casual project-wide editors
Sink writer identity has only the permission needed to write exported logs
A sample query finds recent IAM policy changes
ScenarioGCP - beginner
05 - Steps
STEP_01
Create the security dataset
Create a BigQuery dataset for audit exports with a clear retention and location choice. This is where responders will query facts instead of arguing from screenshots.
Create a project sink pointed at the BigQuery dataset with a filter for audit logs that include IAM policy changes. Keep the filter narrow enough that the bill does not become the incident after the incident.
Hint: Start with Admin Activity logs and IAM method names, then document what your filter includes and what it intentionally leaves out.
Grant the sink's generated writer identity BigQuery data editor on the destination dataset. Do not make every project editor a dataset editor just because Terraform is yelling at you.
Add dataset-level read access for the security group that will investigate IAM changes. Keep operators who deploy apps separate from operators who read the audit archive.
Make a harmless IAM binding change, wait for export, and query BigQuery for the method name, principal email, resource name, and timestamp. That row is your proof the pipeline works.