Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Data Access Audit Logs for Document AI

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)

To ensure security, compliance, and effective troubleshooting, enable Data Access audit logs for your Google Cloud Document AI resources. Google Cloud provides two main types of audit logs:

  1. Admin Activity audit logs: These logs capture operations that modify the configuration or metadata of resources, such as creating or deleting Document AI resources. Admin Activity audit logs are enabled by default and cannot be turned off.
  2. Data Access audit logs: These logs track operations not covered by Admin Activity logs. Data Access audit logs include the following sub-types:
    • ADMIN_READ: Logs operations that read metadata or configuration information. This is useful for auditing who has read-only access to the configurations or settings of your Document AI resources.
    • DATA_READ: Logs operations that read user-provided data. This is useful for tracking read interactions with your resources.
    • DATA_WRITE: Logs operations that write user-provided data. This is critical for tracking changes to your Document AI configuration and resources.

Unlike Admin Activity logs, Data Access audit logs are disabled by default and must be explicitly enabled.
Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling Data Access audit logs for Google Cloud Document AI is crucial for ensuring compliance, strengthening security, promoting accountability, and streamlining troubleshooting efforts. By actively monitoring and analyzing activity for your Document AI resources, you can gain valuable insights that enable swift detection and response to potential security threats. In Google Cloud Platform (GCP), Data Access audit logs capture API calls that access resource configurations or metadata, along with user-initiated API calls that create, modify, or read data provided by users.

Audit

To determine if Data Access audit logs are enabled for your Document AI resources, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Document AI API, and press Enter.

06 Select the Document AI API service to show the info panel for the selected GCP service.

07 Choose the Permission types tab and check the log types configured for Document AI API to determine what types of operations are recorded in your Data Access audit logs for the selected service. If Admin Read, Data Write, and Data Read log types are not enabled (i.e., the log type checkboxes are not selected), Data Access audit logs are disabled for your Google Cloud Document AI resources.

08 Repeat steps no. 2 – 7 for each project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the IAM policy created for the selected project. The project's IAM policy includes includes the auditConfigs configuration object, which contains the configuration parameters for Data Access audit logs. 

gcloud projects get-iam-policy cc-project5-123123
	--format="yaml(auditConfigs)"

04 The command output should return the IAM policy defined for the GCP project (including the auditConfigs object): 

auditConfigs:

	- auditLogConfigs:
		- logType: ADMIN_READ
		- logType: DATA_READ
		- logType: DATA_WRITE
		service: pubsub.googleapis.com

	- auditLogConfigs:
		- logType: ADMIN_READ
		- logType: DATA_READ
		- logType: DATA_WRITE
		service: compute.googleapis.com

If the projects get-iam-policy command output returns null, Data Access audit logs are not enabled for the Google Cloud services and APIs supported within the selected GCP project. If the command output returns the auditConfigs configuration object, as shown in the example above, audit logs are enabled for certain services and APIs. If ADMIN_READ, DATA_READ, and DATA_WRITE log types are not listed for service: documentai.googleapis.com, Data Access audit logs are disabled for your Google Cloud Document AI resources.

05 Repeat steps no. 3 and 4 for each project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To enable Data Access audit logs for your Google Cloud Document AI resources, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Document AI API, and press Enter.

06 Select the Document AI API service to display the info panel for the selected GCP service.

07 Choose the Permission types tab, check the Admin Read, Data Write, and Data Read checkboxes, and choose Save to apply the changes. This will enable Data Access audit logs for all the Document AI resources available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Edit the IAM policy associated with your GCP project and add the "auditConfigs" object to the existing policy as configured below. Save the IAM policy document to a JSON file named cc-enable-data-access-audit-logs.json. If audit logs are already enabled for other GCP services, just add the "auditLogConfigs" object to the existing "auditConfigs". The example below demonstrates Data Access audit logs enabled exclusively for Document AI resources: 

"auditConfigs": [
	{
		"auditLogConfigs": [
			{
				"logType": "ADMIN_READ"
			},
			{
				"logType": "DATA_READ"
			},
			{
				"logType": "DATA_WRITE"
			}
		],
		"service": "documentai.googleapis.com"
	}
]

02 Run projects set-iam-policy command (Windows/macOS/Linux) with the name of the GCP project that you want to configure as the identifier parameter, to update the associated IAM policy in order to enable Data Access audit logs for all the Document AI resources available in the selected GCP project: 

gcloud projects set-iam-policy cc-project5-123123 cc-enable-data-access-audit-logs.json

03 The command output should return the modified IAM policy document: 

Updated IAM policy for project [cc-project5-123123].
	auditConfigs:
	- auditLogConfigs:
		- logType: ADMIN_READ
		- logType: DATA_READ
		- logType: DATA_WRITE
		service: documentai.googleapis.com
	bindings:
		- members:
		- user:username@domain.com
		role: roles/documentai.viewer
	etag: abcdabcdabcd
	version: 1

04 Repeat steps no. 1 – 3 for each GCP project available within your Google Cloud Platform (GCP) account.

References

Publication date Jul 28, 2025

Related DocumentAI rules