Access Transparency exclusions
Access Transparency logs are generated when Google personnel access content that you've uploaded into an Access Transparency supported service, except in the following scenarios:
-
Google is legally prohibited from notifying you of the access. For details, refer to Google Cloud's Transparency Report.
-
You've granted the Google personnel access to your content by using your Identity and Access Management (IAM) policy; their activities are recorded in Cloud Audit Logs (when enabled), not Access Transparency logs.
The access doesn't target Customer Data; for example, Google personnel querying for the average size of records in a database that contains content from multiple Google Cloud customers.
The content in question is a public resource identifier. For example:
- Google Cloud project IDs
- Cloud Storage bucket names
- Compute Engine VM names
- Google Kubernetes Engine cluster names
- BigQuery resource names (including datasets, tables, and reservations)
The access originates from Google's standard automated systems and code. These system accesses are validated by code authorization, which verifies that the job originates from code that was checked into production and subject to a multi-party security and privacy review, including a verified source code owner.
What's next
- Learn about the services that Access Transparency supports.