Google Cloud Adds Audit logging for Security Token Service
MOUNTAIN VIEW, CA – Google Cloud Platform (GCP) has expanded its audit logging capabilities to include methods within the Security Token Service (STS), enhancing visibility into identity and access management (IAM) operations. The update, detailed in Google Cloud documentation, provides administrators with a clearer record of token exchange activities, bolstering security posture and compliance efforts.
The new logging applies to both the google.identity.sts.v1 and google.identity.sts.v1beta versions of the Security Token Service. Specifically, audit logs are now generated for the ExchangeToken method, a critical function for securely exchanging tokens between different identity providers. This increased transparency allows organizations to monitor how tokens are being used, detect potential misuse, and maintain a robust audit trail for regulatory requirements.Administrators can filter logs using protoPayload.methodName="google.identity.sts.v1.SecurityTokenService.exchangetoken" or protoPayload.methodName="google.identity.sts.v1beta.SecurityTokenService.exchangetoken".
The audit logs are categorized as “Data access” type and require the sts.identityProviders.checkLogging permission with ADMIN_READ access to view. The exchangetoken method is not a long-running or streaming operation,simplifying log analysis. These logs are essential for security professionals, IAM administrators, and compliance officers responsible for managing access to Google Cloud resources and ensuring adherence to security best practices. The addition of STS audit logging reinforces Google Cloud’s commitment to providing extensive security features and granular control over identity and access within its platform.
