Run an audit

An audit is a long-running operation that might take a few hours. The duration depends on the number of resources within the audit scope, which is the project or folder you have previously enrolled.

Before you begin

  • Ensure that you have one of the following IAM roles:

    • Audit Manager Admin (roles/auditmanager.admin)
    • Audit Manager Auditor (roles/auditmanager.auditor)
  • If you want to run an audit against a custom compliance framework (Preview), ensure that you have the Audit Manager Custom Compliance Framework Viewer (roles/auditmanager.ccfViewer) IAM role.

  • Ensure that your project or folder has been enrolled for auditing.

Run an audit

Console

  1. In the Google Cloud console, go to the Run assessment page in Audit Manager.

    Go to Audit Manager

  2. In the Choose resource and regulation section, do the following:

    1. Select your project or folder that needs to be audited.

    2. Select the compliance framework that you want to audit your resource against. You can either select a built-in or a custom compliance framework (Preview) from the Available frameworks list. For more information, see Supported compliance frameworks.

    3. Select the location where the audit assessment must be processed. For the list of supported locations, see Locations.

    4. Click Next.

  3. Optional: In the View Assessment Plan section, you can download an ODS file that contains information about the audit scope based on the compliance framework that you selected. To download the file, click the link, and click Next.

  4. In the Choose storage bucket section, select a storage bucket where the audit report and evidence must be saved, and click Done. If your bucket is not listed, then ask your administrator to enroll your resource with your storage bucket.

  5. To start the audit, click Run Audit.

    You can view the audit status on the View assessments page.

gcloud

Optional: Generate an audit assessment

Before running an actual audit, you can generate an audit assessment (or scope) that includes a detailed task breakdown for the audit based on the compliance framework you chose.

The gcloud audit-manager audit-scopes generate command generates an audit scope.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder.
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234.
  • LOCATION: The location of the Audit Manager API endpoint. For a list of available endpoints, see Locations. For example: us-central1.
  • COMPLIANCE_TYPE: The compliance framework to audit against. For example: CIS_CONTROLS_V8.
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: odf.
  • OUTPUT_DIRECTORY: The directory where the output must be stored. For example: reports.
  • OUTPUT_FILENAME: The name of the output file. Don't include the file extension in the filename. For example:scopeReport.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud audit-manager audit-scopes generate \
    --RESOURCE_TYPE=RESOURCE_ID \
    --location=LOCATION \
    --compliance-framework=COMPLIANCE_TYPE \
    --report-format=AUDIT_REPORT_FORMAT \
    --output-directory=OUTPUT_DIRECTORY \
    --output-file-name=OUTPUT_FILENAME

Windows (PowerShell)

gcloud audit-manager audit-scopes generate `
    --RESOURCE_TYPE=RESOURCE_ID `
    --location=LOCATION `
    --compliance-framework=COMPLIANCE_TYPE `
    --report-format=AUDIT_REPORT_FORMAT `
    --output-directory=OUTPUT_DIRECTORY `
    --output-file-name=OUTPUT_FILENAME

Windows (cmd.exe)

gcloud audit-manager audit-scopes generate ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --location=LOCATION ^
    --compliance-framework=COMPLIANCE_TYPE ^
    --report-format=AUDIT_REPORT_FORMAT ^
    --output-directory=OUTPUT_DIRECTORY ^
    --output-file-name=OUTPUT_FILENAME

Run an audit

The gcloud audit-manager audit-reports generate command runs an audit.

Before using any of the command data below, make the following replacements:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder.
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234.
  • LOCATION: The location of the Audit Manager API endpoint. For a list of available endpoints, see Locations. For example: us-central1.
  • COMPLIANCE_TYPE: The compliance framework to audit against. For example: CIS_CONTROLS_V8.
  • BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager.
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: odf.

Execute the following command:

Linux, macOS, or Cloud Shell

gcloud audit-manager audit-reports generate \
    --RESOURCE_TYPE=RESOURCE_ID \
    --location=LOCATION \
    --compliance-framework=COMPLIANCE_TYPE \
    --report-format=AUDIT_REPORT_FORMAT \
    --gcs-uri=BUCKET_URI

Windows (PowerShell)

gcloud audit-manager audit-reports generate `
    --RESOURCE_TYPE=RESOURCE_ID `
    --location=LOCATION `
    --compliance-framework=COMPLIANCE_TYPE `
    --report-format=AUDIT_REPORT_FORMAT `
    --gcs-uri=BUCKET_URI

Windows (cmd.exe)

gcloud audit-manager audit-reports generate ^
    --RESOURCE_TYPE=RESOURCE_ID ^
    --location=LOCATION ^
    --compliance-framework=COMPLIANCE_TYPE ^
    --report-format=AUDIT_REPORT_FORMAT ^
    --gcs-uri=BUCKET_URI

You should receive a response similar to the following:

done: false
name: projects/10398413/locations/987234/operations/operation-1726842525305-6228ddb4dca96-78a6db59-f9dd9a24

REST

Optional: Generate an audit assessment

Before running an actual audit, you can generate an audit assessment (or scope) that includes a detailed task breakdown for the audit based on the compliance framework you chose.

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder.
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234.
  • LOCATION: The location of the Audit Manager API endpoint. For a list of available endpoints, see Locations. For example: us-central1.
  • COMPLIANCE_TYPE: The compliance framework to audit against. For example: CIS_CONTROLS_V8.
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: odf.
  • OUTPUT_DIRECTORY: The directory where the output must be stored. For example: reports.
  • OUTPUT_FILENAME: The name of the output file. Don't include the file extension in the filename. For example:scopeReport.

HTTP method and URL:

POST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate

Request JSON body:


{
  "compliance_framework" : "COMPLIANCE_TYPE"
  "report_format" : "AUDIT_REPORT_FORMAT"
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION/auditScopesReport:generate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{

  "scope_report_contents" : "980u43nrf090834uhbkfehf......"
  "name" : "folders/8767234/locations/us-west"
}

Run an audit

Before using any of the request data, make the following replacements:

  • RESOURCE_TYPE: The type of resource, either a project or a folder. For example: folder.
  • RESOURCE_ID: The resource ID of the project or folder. For example: 8767234.
  • LOCATION: The location of the Audit Manager API endpoint. For a list of available endpoints, see Locations. For example: us-central1.
  • COMPLIANCE_TYPE: The compliance framework to audit against. For example: CIS_CONTROLS_V8.
  • BUCKET_URI: The URI of the Cloud Storage bucket. For example: gs://testbucketauditmanager.
  • AUDIT_REPORT_FORMAT: The format of the output audit report. Only ODF format is supported: odf.

HTTP method and URL:

POST https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION//auditReport:generate

Request JSON body:


{
  "destination" : {
    "gcs_uri" : "BUCKET_URI"
  },
  "compliance_framework" : "COMPLIANCE_TYPE"
  "report_format" : "AUDIT_REPORT_FORMAT"
}

To send your request, choose one of these options:

curl

Save the request body in a file named request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION//auditReport:generate"

PowerShell

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://auditmanager.googleapis.com/RESOURCE_TYPE/RESOURCE_ID/locations/LOCATION//auditReport:generate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "name": "organizations/834/projects/10398413/locations/987234/operations/098234",
  "done": false
}

The response has the following information:

  • name: A unique string identifier of the audit assessment operation request. This identifier is used to track the progress of the audit assessment process. For example: operation/098234.
  • done: A boolean flag that is set to false that indicates that the process has been triggered. This is set to true when the audit assessment is completed.

The scope_reports_contents field is the byte format of the contents, which must be converted to ODF format before review.

What's next