Access Approval provides explicit control over Google support access to your cloud data. Every access requires manual approval with full audit transparency.
What is Access Approval?
Access Approval is an enterprise feature for Google Cloud that provides additional control over support access. By default, Google support can access your resources during technical issues to diagnose and solve problems.
With Access Approval, this changes fundamentally. Every support access requires your explicit approval. You receive a notification with details about the requested access, the reason, affected resources, and duration. Without your consent, access remains blocked.
This is particularly relevant for regulated industries like financial services, healthcare, or public administration. GDPR and other compliance frameworks require documented control over data access by third parties. Access Approval meets these requirements with full audit transparency via Cloud Audit Logs.
The feature is exclusively available in Enterprise and Enterprise Plus support tiers. Integration requires no code changes and has no impact on normal application workloads.
How does Access Approval work?
The approval workflow runs in several steps:
- Support Case Escalation: A Google support employee needs access to your resources for problem resolution
- Approval Request: You receive a notification via email and in the Cloud Console
- Review: The request contains reason, resources, time duration, and requesting employee
- Decision: You approve, deny, or adjust the access time
- Access: Upon approval, support receives time-limited access
- Audit: All steps are logged in Cloud Audit Logs
Approval can be configured at project, folder, or organization level. Granular policies enable exceptions for specific services or resources.
Access Approval vs. Access Transparency
Access Approval and Access Transparency complement each other but have different functions:
| Feature | Access Approval | Access Transparency |
|---|---|---|
| Function | Approval required | Transparency logs only |
| Control | Active access control | Passive observation |
| Use Case | Regulated industries | Compliance monitoring |
| Support Tier | Enterprise/Enterprise Plus | Premium and higher |
| Delay | Possible for support | None |
Access Transparency documents all Google accesses without approval requirement. Access Approval requires explicit approval. For maximum control, enterprises combine both features.
Best Practices
1. Define clear approval processes
Determine who can approve approval requests. Define response times for critical vs. non-critical cases. Document escalation paths during absences.
2. Use automatic approvals for non-critical resources
Development and test environments can receive automatic approvals to avoid support delays. Production databases and sensitive systems require manual approval.
3. Configure approval time windows sensibly
Grant sufficient time for support troubleshooting but avoid excessively long periods. Typical is 4-8 hours for diagnostic access.
4. Monitor approval logs regularly
Use Cloud Audit Logs for monthly reviews of all approval requests. Identify patterns or unusual access requests as part of your security reviews.
5. Combine with VPC Service Controls
VPC Service Controls complement Access Approval through perimeter-based access control. This prevents data exfiltration even with approved support access.
Integration with innFactory
As a Google Cloud partner, innFactory supports you in implementing Access Approval:
- Compliance Strategy: Design of approval workflows for GDPR, HIPAA, or FINMA requirements
- Policy Configuration: Setup of granular approval policies at organization, folder, and project levels
- Audit Integration: Connection of Cloud Audit Logs to SIEM systems for centralized compliance reports
- Zero-Trust Architecture: Integration of Access Approval into comprehensive zero-trust security models
Contact us for consultation on Access Approval and Google Cloud security.
Available Tiers & Options
Enterprise and Enterprise Plus
- Explicit approval for support access
- Audit trail of all accesses
- Time-limited access rights
- Regional control over data residency
- Requires Enterprise Support tier
- Potential delay in support cases
Typical Use Cases
Technical Specifications
Frequently Asked Questions
What is Access Approval?
Access Approval is a Google Cloud feature that requires explicit approvals before Google support staff can access your data. During a support case, you receive a notification and must manually approve access. This provides additional control and transparency, especially important for regulated industries and GDPR compliance.
Which accesses require approval?
Access Approval applies to Google support access to your cloud resources like Compute Engine VMs, Cloud Storage buckets, databases, or logs. Normal API calls from your own applications are not affected. You exclusively control support-side access by Google employees.
How does the approval process work?
During a support case requiring data access, you receive a notification via email and in the Cloud Console. The request contains the reason, requested resources, duration, and the Google employee. You can approve, deny, or set a limited time duration. Without approval, Google cannot access your data.
Does Access Approval delay support processing?
Potentially yes, as support must wait for your approval. In critical production outages, this can delay problem resolution. Best practice is to review approval requests promptly and configure automatic approvals for specific resources or time windows if appropriate.
Which support tiers offer Access Approval?
Access Approval is exclusively available in Enterprise and Enterprise Plus support tiers. Standard and Basic support do not have access to this feature. This is part of extended enterprise features for regulated industries and high compliance requirements.
Can I configure Access Approval granularly?
Yes, you can enable Access Approval at project, folder, or organization level. Additionally, you can exclude specific services or resources from the requirement. Example: production databases require approval, development environments do not.
How does Access Approval help with GDPR compliance?
Access Approval provides documented control over data access by third parties (Google support). All approvals are logged in Cloud Audit Logs as evidence for GDPR audits. Combined with EU regions, this meets requirements for data sovereignty and transparency.
Are all access requests logged?
Yes, all Access Approval requests are stored in Cloud Audit Logs, regardless of whether approved or denied. This includes timestamps, requested resources, approver, and duration. These logs are immutable and serve as compliance evidence.
What does Access Approval cost?
Access Approval is included at no additional cost in Enterprise and Enterprise Plus support tiers. The support tiers themselves are charged based on your monthly GCP spend. Details can be found in the Google Cloud support pricing.
