This page describes how to run an audit in Audit Manager. An audit is a long-running operation that may take a few hours. The duration depends on the number of resources within the audit scope, which is the project or folder you have previously enrolled.
Before you begin
- Ensure that your administrator has granted you one of the required Identity and Access Management (IAM) roles to run an audit.
- Ensure that you've enrolled a resource for auditing.
- Identify or create one or more Cloud Storage buckets where audit data will be exported, and ensure that the caller has been granted the proper permissions on the bucket.
Required IAM roles
To run an audit or to generate an audit scope, you must be granted the
Audit Manager Admin
(roles/auditmanager.admin) or
Audit Manager Auditor
(roles/auditmanager.auditor) role. These roles grant you the ability to
generate an audit scope, and to create or view audit reports.
See the IAM documentation for more information about granting roles.
Run an audit
To run an audit, complete the following steps.
Console
In the Google Cloud console, go to the Run assessment page in Audit Manager.
Enter the ID of the project or folder you want to enroll. The expected format is
projects/PROJECT-IDorfolders/FOLDER-ID.If the project or folder has not been previously enrolled, you will be prompted to enroll it. Click Enroll Audits.
Select the compliance standard you want to audit your resource against. See the Supported compliance standards page for more information.
Select the location where audit should be processed. See the Locations page for a description each available location.
Click Next.
In the Get assessment plan step, you can optionally download a ODS file that contains information about each audit parameter included in the compliance standard that you selected earlier. Click the link to download, and click Next.
In the Choose storage bucket step, select one of the previously-enrolled buckets where the audit report and evidence will be saved, and click Done. If your bucket is not listed, it must be re-enrolled.
Click Run Audit to start the audit. The audit status is updated from the list of audits as described in View an audit.
gcloud
The
gcloud alpha audit-manager audit-reports generate
command runs an audit.
Replace the following placeholder values with your own before you run the command:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example:
folder - RESOURCE_ID: The resource ID of the project or folder. For
example:
8767234 - LOCATION: The location of the Audit Manager API
endpoint. See Locations for a list of
available endpoints. For example:
us-central1 - BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager - COMPLIANCE_TYPE: The compliance standard to audit against. For
example:
FEDRAMP_MODERATE - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
odf
gcloud alpha audit-manager audit-reports generate \
--RESOURCE_TYPE=RESOURCE_ID \
--location=LOCATION \
--compliance-standard=COMPLIANCE_TYPE \
--report-format=odf \
--gcs-uri="BUCKET_URI"
If successful, the response includes the following information:
name: A unique string identifier of the audit assessment operation request. This identifier will be used to track the progress of the audit assessment process. For example:operation/098234done: A boolean flag that will be set tofalsemeaning that process has been triggered. This will be set totrueonce the audit assessment has been completed.
REST
Replace the following placeholder values with your own before you make the request:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example:
folders - RESOURCE_ID: The resource ID of the project or folder. For
example:
8767234 - LOCATION: The location of the Audit Manager API
endpoint. See Locations for a list of
available endpoints. For example:
us-central1 - BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager - COMPLIANCE_TYPE: The compliance standard to audit against. For
example:
FEDRAMP_MODERATE - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
AUDIT_REPORT_FORMAT_ODF
HTTP method and URL:
POST: https://auditmanager.googleapis.com/v1alpha/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditReport:generate
Request JSON body:
{
"destination" : {
"gcs_uri" : "BUCKET_URI"
},
"compliance_regime" : "COMPLIANCE_TYPE"
"report_format" : "AUDIT_REPORT_FORMAT"
}
If successful, the response includes the following information:
name: A unique string identifier of the audit assessment operation request. This identifier will be used to track the progress of the audit assessment process. For example:operation/098234done: A boolean flag that will be set tofalsemeaning that process has been triggered. This will be set totrueonce the audit assessment has been completed.
If an error occurred, refer to the following table for troubleshooting guidance.
| Error code | Error message | Description |
|---|---|---|
| 401 | User has insufficient permissions to run audit on the provided scope. | Ensure that you have been granted the required permissions to run an audit, or ask an administrator to run this operation on your behalf. |
| 401 | Storage bucket provided is not enrolled for the provided audit resource. | The specified bucket has not previously been enrolled for the audit operation. Ensure that the enrolled bucket is specified, or retry the enrollment operation for the appropriate bucket. |
| 403 | Resource is not enrolled to be audited. | The specified resource has not previously been enrolled for the audit operation. Ensure that the enrolled resource is specified, or retry the enrollment operation for the appropriate resource. |
Generate an assessment plan (optional)
Before running an actual audit, you can generate an audit assessment (or scope), which includes a detailed task breakdown for the audit based on the compliance standard you chose.
Console
The steps to generate an assessment plan in the Google Cloud console are included in the Run an audit section.
gcloud
The
gcloud alpha audit-manager audit-scopes generate
command generates an audit scope.
Replace the following placeholder values with your own before you run the command:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example:
folder - RESOURCE_ID: The resource ID of the project or folder. For
example:
8767234 - LOCATION: The location of the Audit Manager API
endpoint. See Locations for a list of
available endpoints. For example:
us-central1 - COMPLIANCE_TYPE: The compliance standard to audit against. For
example:
FEDRAMP_MODERATE - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
odf - OUTPUT_DIRECTORY: The directory where the output will be
stored. For example:
reports - OUTPUT_FILENAME: The name of the output file. Don't include the
file extension in the filename. For example:
scopeReport
gcloud alpha audit-manager audit-scopes generate \
--RESOURCE_TYPE=RESOURCE_ID \
--location=LOCATION \
--compliance-standard=COMPLIANCE_TYPE \
--report-format=odf \
--output-directory=OUTPUT_DIRECTORY \
--output-file-name=OUTPUT_FILENAME
REST
Replace the following placeholder values with your own before you make the request:
- RESOURCE_TYPE: The type of resource, either a project or a
folder. For example:
folders - RESOURCE_ID: The resource ID of the project or folder. For
example:
8767234 - LOCATION: The location of the Audit Manager API
endpoint. See Locations for a list of
available endpoints. For example:
us-central1 - COMPLIANCE_TYPE: The compliance standard to audit against. For
example:
FEDRAMP_MODERATE - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
AUDIT_REPORT_FORMAT_ODF
HTTP method and URL:
POST: https://auditmanager.googleapis.com/v1alpha/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate
Request JSON body:
{
"compliance_regime" : "COMPLIANCE_TYPE"
"report_format" : "AUDIT_REPORT_FORMAT"
}
The response includes the audit_report_contents and name fields, such as the
following:
"scope_report_contents" : "980u43nrf090834uhbkfehf......"
"name" : "folders/8767234/locations/us-west"
The scope_reports_contents field is the byte format of the contents, which
must be converted to ODF format before review.
If an error occurred, refer to the following table for troubleshooting guidance.
| Error code | Error message | Description |
|---|---|---|
| 400 | Invalid compliance standard. Please provide a standard from the following list : [] | Ensure that you've specified a supported compliance standard and try again. |
| 400 | Invalid report format is passed. | Ensure that you've specified the expected report format:
AUDIT_SCOPE_REPORT_FORMAT_ODF. |
What's next
- Learn how to get the status of an audit.