An audit is a long-running operation that might take a few hours. The duration depends on the number of resources within the audit scope, which is the project or folder you have previously enrolled.
Before you begin
Ensure that you have one of the following IAM roles:
- Audit Manager Admin (
roles/auditmanager.admin
) - Audit Manager Auditor (
roles/auditmanager.auditor
)
- Audit Manager Admin (
If you want to run an audit against a custom compliance framework (Preview), ensure that you have the Audit Manager Custom Compliance Framework Viewer (
roles/auditmanager.ccfViewer
) IAM role.Ensure that your project or folder has been enrolled for auditing.
Run an audit
Console
In the Google Cloud console, go to the Run assessment page in Audit Manager.
In the Choose resource and regulation section, do the following:
Select your project or folder that needs to be audited.
Select the compliance framework that you want to audit your resource against. You can either select a built-in or a custom compliance framework (Preview) from the Available frameworks list. For more information, see Supported compliance frameworks.
Select the location where the audit assessment must be processed. For the list of supported locations, see Locations.
Click Next.
Optional: In the View Assessment Plan section, you can download an ODS file that contains information about the audit scope based on the compliance framework that you selected. To download the file, click the link, and click Next.
In the Choose storage bucket section, select a storage bucket where the audit report and evidence must be saved, and click Done. If your bucket is not listed, then ask your administrator to enroll your resource with your storage bucket.
To start the audit, click Run Audit.
You can view the audit status on the View assessments page.
gcloud
Optional: Generate an audit assessment
Before running an actual audit, you can generate an audit assessment (or scope) that includes a detailed task breakdown for the audit based on the compliance framework you chose.
The gcloud audit-manager audit-scopes generate
command generates an audit scope.
Before using any of the command data below, make the following replacements:
- RESOURCE_TYPE: The type of resource, either a project or a folder. For example:
folder
. - RESOURCE_ID: The resource ID of the project or folder. For example:
8767234
. - LOCATION: The location of the Audit Manager API endpoint. For a list of
available endpoints, see Locations. For example:
us-central1
. - COMPLIANCE_TYPE: The compliance framework to audit against. For
example:
CIS_CONTROLS_V8
. - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
odf
. - OUTPUT_DIRECTORY: The directory where the output must be stored. For example:
reports
. - OUTPUT_FILENAME: The name of the output file. Don't include the file extension in the filename. For example:
scopeReport
.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud audit-manager audit-scopes generate \ --RESOURCE_TYPE=RESOURCE_ID \ --location=LOCATION \ --compliance-framework=COMPLIANCE_TYPE \ --report-format=AUDIT_REPORT_FORMAT \ --output-directory=OUTPUT_DIRECTORY \ --output-file-name=OUTPUT_FILENAME
Windows (PowerShell)
gcloud audit-manager audit-scopes generate ` --RESOURCE_TYPE=RESOURCE_ID ` --location=LOCATION ` --compliance-framework=COMPLIANCE_TYPE ` --report-format=AUDIT_REPORT_FORMAT ` --output-directory=OUTPUT_DIRECTORY ` --output-file-name=OUTPUT_FILENAME
Windows (cmd.exe)
gcloud audit-manager audit-scopes generate ^ --RESOURCE_TYPE=RESOURCE_ID ^ --location=LOCATION ^ --compliance-framework=COMPLIANCE_TYPE ^ --report-format=AUDIT_REPORT_FORMAT ^ --output-directory=OUTPUT_DIRECTORY ^ --output-file-name=OUTPUT_FILENAME
Run an audit
The
gcloud audit-manager audit-reports generate
command runs an audit.
Before using any of the command data below, make the following replacements:
- RESOURCE_TYPE: The type of resource, either a project or a folder. For example:
folder
. - RESOURCE_ID: The resource ID of the project or folder. For example:
8767234
. - LOCATION: The location of the Audit Manager API endpoint. For a list of
available endpoints, see Locations. For example:
us-central1
. - COMPLIANCE_TYPE: The compliance framework to audit against. For
example:
CIS_CONTROLS_V8
. - BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager
. - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
odf
.
Execute the following command:
Linux, macOS, or Cloud Shell
gcloud audit-manager audit-reports generate \ --RESOURCE_TYPE=RESOURCE_ID \ --location=LOCATION \ --compliance-framework=COMPLIANCE_TYPE \ --report-format=AUDIT_REPORT_FORMAT \ --gcs-uri=BUCKET_URI
Windows (PowerShell)
gcloud audit-manager audit-reports generate ` --RESOURCE_TYPE=RESOURCE_ID ` --location=LOCATION ` --compliance-framework=COMPLIANCE_TYPE ` --report-format=AUDIT_REPORT_FORMAT ` --gcs-uri=BUCKET_URI
Windows (cmd.exe)
gcloud audit-manager audit-reports generate ^ --RESOURCE_TYPE=RESOURCE_ID ^ --location=LOCATION ^ --compliance-framework=COMPLIANCE_TYPE ^ --report-format=AUDIT_REPORT_FORMAT ^ --gcs-uri=BUCKET_URI
You should receive a response similar to the following:
done: false name: projects/10398413/locations/987234/operations/operation-1726842525305-6228ddb4dca96-78a6db59-f9dd9a24
REST
Optional: Generate an audit assessment
Before running an actual audit, you can generate an audit assessment (or scope) that includes a detailed task breakdown for the audit based on the compliance framework you chose.
Before using any of the request data, make the following replacements:
- RESOURCE_TYPE: The type of resource, either a project or a folder. For example:
folder
. - RESOURCE_ID: The resource ID of the project or folder. For example:
8767234
. - LOCATION: The location of the Audit Manager API endpoint. For a list of
available endpoints, see Locations. For example:
us-central1
. - COMPLIANCE_TYPE: The compliance framework to audit against. For
example:
CIS_CONTROLS_V8
. - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
odf
. - OUTPUT_DIRECTORY: The directory where the output must be stored. For example:
reports
. - OUTPUT_FILENAME: The name of the output file. Don't include the file extension in the filename. For example:
scopeReport
.
HTTP method and URL:
POST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate
Request JSON body:
{ "compliance_framework" : "COMPLIANCE_TYPE" "report_format" : "AUDIT_REPORT_FORMAT" }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "scope_report_contents" : "980u43nrf090834uhbkfehf......" "name" : "folders/8767234/locations/us-west" }
Run an audit
Before using any of the request data, make the following replacements:
- RESOURCE_TYPE: The type of resource, either a project or a folder. For example:
folder
. - RESOURCE_ID: The resource ID of the project or folder. For example:
8767234
. - LOCATION: The location of the Audit Manager API endpoint. For a list of
available endpoints, see Locations. For example:
us-central1
. - COMPLIANCE_TYPE: The compliance framework to audit against. For
example:
CIS_CONTROLS_V8
. - BUCKET_URI: The URI of the Cloud Storage bucket. For example:
gs://testbucketauditmanager
. - AUDIT_REPORT_FORMAT: The format of the output audit report.
Only ODF format is supported:
odf
.
HTTP method and URL:
POST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION//auditReport:generate
Request JSON body:
{ "destination" : { "gcs_uri" : "BUCKET_URI" }, "compliance_framework" : "COMPLIANCE_TYPE" "report_format" : "AUDIT_REPORT_FORMAT" }
To send your request, choose one of these options:
curl
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION//auditReport:generate"
PowerShell
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION//auditReport:generate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
{ "name": "organizations/834/projects/10398413/locations/987234/operations/098234", "done": false }
The response has the following information:
name
: A unique string identifier of the audit assessment operation request. This identifier is used to track the progress of the audit assessment process. For example:operation/098234
.done
: A boolean flag that is set tofalse
that indicates that the process has been triggered. This is set totrue
when the audit assessment is completed.
The scope_reports_contents
field is the byte format of the contents,
which must be converted to ODF format before review.