This page describes how to enable database auditing in AlloyDB, how the database auditing recommender works, and how you can use it.
The AlloyDB database auditing recommender helps you detect production instances whose auditing is not enabled. It then provides recommendations to enable database auditing.
Before you begin
Before you can view recommendations and insights, do the following:
Ensure that you enable the Recommender API.
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles.
Tasks Roles View recommendations recommender.alloydbViewerApply recommendations recommender.alloydbAdminoralloydb.adminSee Grant access to other users for more information.
List the recommendations
You can list the enable database auditing recommendations
using the Google Cloud console, gcloud CLI, or the Recommender API.
Console
In the Google Cloud console, go to the Clusters page.
For more information, see Find recommendations with Recommendation Hub.
In the Resources list table, find the cluster and click View issues in the Issues column.
A list of issues is displayed in the Aggregated issues panel. Select the Auditing not enabled recommendation card.
gcloud CLI
To list the enable database auditing recommendations using gcloud CLI, run the gcloud recommender recommendations list command as follows:
gcloud recommender recommendations list \ --project=PROJECT_ID \ --location=LOCATION \ --recommender=google.alloydb.instance.SecurityRecommender \ --filter=recommenderSubtype=ENABLE_DATABASE_AUDITING
Replace the following:
PROJECT_ID: Your project ID.LOCATION: A region where your instances are located, such asus-central1.
API
To list enable database auditing recommendations using the Recommendations API, call the
recommendations.list
method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.alloydb.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ENABLE_DATABASE_AUDITING
Replace the following:
PROJECT_ID: Your project ID.LOCATION: A region where your instances are located, such asus-central1.
View insights and detailed recommendations
You can view insights and detailed recommendations about instances
that require enabling database auditing using the Google Cloud console,
gcloud CLI, or the Recommender API.
Console
On the Clusters page, under the Resources table, click View issues in the Issues column for the cluster.
The Aggregated issues panel appears on the right, which contains insights and detailed recommendations for Auditing not enabled.
gcloud CLI
Run the gcloud recommender insights list command as follows:
gcloud recommender insights list \ --project=PROJECT_ID \ --location=LOCATION \ --insight-type=google.alloydb.instance.SecurityInsight \ --filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1.
API
Call the insights.list method as follows:
GET https://recommender.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.alloydb.instance.SecurityInsight/insights?filter=insightSubtype=DATABASE_AUDITING_NOT_ENABLED
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1.
Apply the recommendation
Evaluate the recommendation carefully and do any of the following:
Console
To implement the recommendation, follow instructions in Enable pgAudit.
gcloud CLI
To implement the recommendation, follow instructions in Enable pgAudit.