Set up and view the violation dashboard
This page describes how to set up and use the VPC Service Controls violation dashboardto view the details about access denials by service perimeters in your organization.
Cost
When you use the VPC Service Controls violation dashboard, you need to consider thecosts that you incur for using the following billable components of Google Cloud:
Because you deploy Cloud Logging resources in your organization while settingup the violation dashboard, you incur cost for using these resources.
Because you use an organization-level Log Router sink for the violation dashboard,VPC Service Controls duplicates all of your audit logs in the configured log bucket.You incur cost for using the log bucket. To estimate the potential cost for usingthe log bucket, query and calculate the volume of your audit logs. For more informationabout querying your existing logs, seeView logs.
For information about the Cloud Logging and Cloud Monitoring pricing, seeGoogle Cloud Observability pricing.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Enable the Service Usage API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
- Create a project: To create a project, you need the Project Creator role (
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission.Learn how to grant roles.
Verify that billing is enabled for your Google Cloud project.
Enable the Service Usage API.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enablepermission.Learn how to grant roles.
Required roles
To get the permissions that you need to set up the violation dashboard, ask your administrator to grant you theLogging Admin (
roles/logging.admin) IAM role on the project in which you configure a log bucket during the violation dashboard setup. For more information about granting roles, seeManage access to projects, folders, and organizations.This predefined role contains the permissions required to set up the violation dashboard. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to set up the violation dashboard:
- To list the log buckets from the selected project:
logging.buckets.list - To create a new log bucket:
logging.buckets.create - To enable Log Analytics in the selected log bucket:
logging.buckets.update - To create a new Log Router sink:
logging.sinks.create
You might also be able to get these permissions withcustom roles or otherpredefined roles.
- To list the log buckets from the selected project:
To get the permissions that you need to view the violation dashboard, ask your administrator to grant you the following IAM roles on the project in which you configure a log bucket during the violation dashboard setup:
- Logs View Accessor (
roles/logging.viewAccessor) - VPC Service Controls Troubleshooter Viewer (
roles/accesscontextmanager.vpcScTroubleshooterViewer)
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to view the violation dashboard. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to view the violation dashboard:
- To display the access policy names:
accesscontextmanager.policies.list - To display the project names:
resourcemanager.projects.get
You might also be able to get these permissions withcustom roles or otherpredefined roles.
- Logs View Accessor (
Set up the dashboard
To set up the violation dashboard, you need to configure alog bucketto aggregate the VPC Service Controls audit logs and create an organization-levelLog Router sink that will route all theVPC Service Controls audit logs to the log bucket.
To set up the violation dashboard for your organization, do the following one time:
In the Google Cloud console, go to theVPC Service Controls page.
If you are prompted, select your organization. You can access theVPC ServiceControls page only at the organization level.
On theVPC Service Controls page, clickViolation dashboard.
On theViolation dashboard setup page, in theProject field, select theproject that contains the log bucket in which you want to aggregate the audit logs.
ForLog bucket destination, selectExisting log bucket orCreatenew log bucket.
If you want to use an existing log bucket, in theLog bucket list,select the required log bucket.
If you create a newlog bucket, enter therequired information in the following fields:
Name: A name for your log bucket.
Description: A description for your log bucket.
Region: The region where you want to store your logs.
Note: After you create the log bucket, you can't change the log bucket'sregion.Retention period: A custom duration for which Cloud Loggingneeds to retain your logs.
For more information about these fields, seeCreate a bucket.
ClickCreate log router sink. VPC Service Controls creates a new Log Routersink named
reserved_vpc_sc_dashboard_log_routerin the selected project.
This operation takes about a minute to complete.
Note: When you create a new log bucket or select an existing log bucket that doesn'thave Log Analytics enabled, VPC Service Controls automatically enablesLog Analytics in the log bucket before VPC Service Controls createsthe Log Router sink.View access denials in the dashboard
After you set up the violation dashboard, you can use the dashboard to view the detailsabout access denials by service perimeters in your organization.
In the Google Cloud console, go to theVPC Service Controls page.
If you are prompted, select your organization. You can access theVPC ServiceControls page only at the organization level.
On theVPC Service Controls page, clickViolation dashboard. TheViolationdashboard page appears.
On theViolation dashboard page, you can do the following operations:
Filtering: In theFilter list, select the required options to filter and view specificdata—for example, principal, access policy, resource. To apply a specificvalue from one of the tables as a filter, clickAdd filter preceding the value.
Time intervals: To select the time range for the data, click one of the predefinedtime intervals. To define a custom time range, clickCustom.
Tables and charts: Scroll theViolation dashboard page to view the data categorizedunder different tables and charts. The violation dashboard displays the following tablesand charts:
Violations
Violation count
Top violations by principal
Top violations by principal IP
Top violations by service
Top violations by method
Top violations by resource
Top violations by service perimeter
Top violations by access policy
Count: TheViolations table lists the total occurrences for each accessdenial in theCount column, whereas theLast occurrence column shows thetimestamp of the most recent denial. TheUnique count columns in other tablesin the violation dashboard show unique occurrences grouped by attributes suchas principal, principal IP, and service.
Troubleshoot access denials: Click the token in theTroubleshootingtoken column of theViolations table to open the violation analyzer andview the troubleshooting result for the access denial. This column displays onlythe most recent troubleshooting token for the access denial. To view all occurrencesof the access denial, clickUnfold more. TheViolation instances pane opens and lists all tokensfor the access denial along with their timestamps and unique IDs. Clicking atoken in this pane opens the troubleshooting result for the access denial.
For information about using the violation analyzer, seeDiagnose an access denialin violation analyzer.
Pagination: The violation dashboard paginates the data displayed in all tables.ClickPrevious andNext to navigate andview the paginated data.
Modify Log Router sink: To modify the configured Log Router sink, clickEdit log sink.
For information about modifying a Log Router sink, seeManage sinks.
Troubleshoot
If you encounter issues while using the violation dashboard, then try troubleshootingand resolving the issues as described in the following sections.
A service perimeter denied access to your user account
If you encounter an error due to insufficient permissions, check if any service perimeterwithin your organization is denying access to the Cloud Logging API. To resolve thisissue, create an ingress rule that lets you access the Cloud Logging API:
In the Google Cloud console, go to theVPC Service Controls page.
If you are prompted, select your organization.
On theVPC Service Controls page, click the service perimeter that protectsthe project containing your log bucket.
Create an ingress rulethat lets you access the Cloud Logging API in the project.
A service perimeter denied access to the log bucket
If VPC Service Controls doesn't route your audit logs to the configured log bucket,you might have to create an ingress rule that allows the Log Router sink's serviceaccount to access the Cloud Logging API in your service perimeter:
In the Google Cloud console, go to theLog Router page.
On theLog Router page, select Menufor the configured Log Router sink, and then selectView sink details.
In theSink details dialog, from theWriter identity field, copy the serviceaccount that the Log Router sink uses.
In the Google Cloud console, go to theVPC Service Controls page.
If you are prompted, select your organization.
On theVPC Service Controls page, click the service perimeter that protectsthe project containing your log bucket.
Create an ingress rulethat allows the Log Router sink's service account to access the Cloud Logging API in the project.
Limitations
VPC Service Controls doesn't backfill the audit logs from other project-level buckets:
If you create a new log bucket while setting up the violation dashboard, VPC Service Controlsdoesn't backfill the existing logs from other projects within your organizationinto the newly created log bucket. The dashboard appears empty until VPC Service Controlslogs new violations and routes these logs to the new log bucket.
If you select an existing log bucket while setting up the violation dashboard,the dashboard displays information about all existing logs from the selected logbucket. The dashboard doesn't display logs from other projects within yourorganization because VPC Service Controls doesn't backfill these logs intothe selected log bucket.
What's next
- VPC Service Controls audit logging
- Learn how todiagnose an access denial in violation analyzer and view its comprehensive evaluation report.
- Diagnose an access denial and view the classic report
- Troubleshoot common VPC Service Controls issues with Google Cloud services
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.