Google Cloud - Hippa Compliance - PgAudit vs IAM Audit Logs

Question

Our infrastructure is hosted on Google Cloud and uses postgresql instances via Cloud SQL

I need to configure logging for HIPAA compliance. I have read 2 articles from Google's documentation:

https://cloud.google.com/logging/docs/audit/configure-data-access#config-console https://cloud.google.com/sql/docs/postgres/pg-audit#overview

The first talks about enabling Audit Logs from within IAM, here I can select Cloud SQL and enable r+w logs for data and admins

The second talks about PgAudit and sets the following flag pgaudit.log=all

I have a couple of questions:

1. How do IAM logs and PgAudit differ, should I enable both or is there redundancy by doing so?
2. For HIPAA compliance using PgAudit, should I log all or is there another value that makes sense

Answer 1

How do IAM logs and PgAudit differ, should I enable both or is there redundancy by doing so?

Well the IAM Logs focus on Admin Activity and data access:

• Admin Activity audit logs: Includes "admin write" operations that write metadata or configuration information.
• Data Access audit logs: Includes "admin read" operations that read metadata or configuration information. Also includes "data read" and "data write" operations that read or write user-provided data.

On the other hand the pgAudit extension applies to executed SQL commands and queries.

Basic statement logging can be provided by the standard logging facility with log_statement = all. This is acceptable for monitoring and other usages but does not provide the level of detail generally required for an audit. It is not enough to have a list of all the operations performed against the database. It must also be possible to find particular statements that are of interest to an auditor. The standard logging facility shows what the user requested, while pgAudit focuses on the details of what happened while the database was satisfying the request.

For HIPAA compliance using PgAudit, should I log all or is there another value that makes sense

When it comes to HIPAA compliance, I do not have any experience in the topic, but in this page it is mentioned that part of the Technical safeguards of HIPAA security rule is to introduce activity logs and audit controls.

Maybe combining the IAM logs (Who did what, where, and when?) with the pgAudit(executed commands and queries) will provide better coverage to face this implementation specification.