Google Cloud HIPAA Compliance – PgAudit vs IAM Audit Logs

auditgoogle-cloud-platformgoogle-cloud-sqlhipaapostgresql

Our infrastructure is hosted on Google Cloud and uses postgresql instances via Cloud SQL

I need to configure logging for HIPAA compliance.
I have read 2 articles from Google's documentation:

https://cloud.google.com/logging/docs/audit/configure-data-access#config-console
https://cloud.google.com/sql/docs/postgres/pg-audit#overview

The first talks about enabling Audit Logs from within IAM, here I can select Cloud SQL and enable r+w logs for data and admins

The second talks about PgAudit and sets the following flag pgaudit.log=all

I have a couple of questions:

  1. How do IAM logs and PgAudit differ, should I enable both or is there redundancy by doing so?
  2. For HIPAA compliance using PgAudit, should I log all or is there another value that makes sense

Best Answer

To answer the first question:

Two types of audit logs are available for IAM:

  1. Admin Activity audit logs: Includes "admin write" operations that write metadata or configuration information. You can't disable Admin Activity audit logs.
  2. Data Access audit logs: Includes "admin read" operations that read metadata or configuration information. Also includes "data read" and "data write" operations that read or write user-provided data. To receive Data Access audit logs, you must explicitly enable them.

These logs are mostly used to audit administrative and maintenance operations done on a Cloud SQL instance.

In contrast, database auditing in Cloud SQL for PostgreSQL is available through the open-source pgAudit extension. Using this extension, you can selectively record and track SQL operations performed against a given database instance. The extension provides you with auditing capabilities to monitor and record a select subset of operations. The pgAudit extension applies to executed SQL commands and queries. For details, you can refer to the link.

 
And to answer the second question:

The PostgreSQL Audit Extension (pgAudit) provides detailed session and/or object audit logging via the standard PostgreSQL logging facility. The goal of the pgAudit is to provide PostgreSQL users with capability to produce audit logs often required to comply with government, financial, or ISO certifications.

pg.auditlog can take values read, write, function, role, ddl, misc, misc_set, all, none. You can provide multiple classes using a comma-separated list, and subtract a class by prefacing the class with a - sign. The default is none.

Basic statement logging can be provided by the standard logging facility with log_statement = all. This is acceptable for monitoring and other usages but does not provide the level of detail generally required for an audit. It is not enough to have a list of all the operations performed against the database. It must also be possible to find particular statements that are of interest to an auditor. The standard logging facility shows what the user requested, while pgAudit focuses on the details of what happened while the database was satisfying the request.

For HIPAA compliance, under technical safeguards it is mentioned to introduce activity logs and audit controls. You may refer to the link for more details.

Related Topic