More Info:

Ensure that BigQuery User Activity Audit Logging is configured properly across all projects.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, GDPR, HIPAA, ISO27001

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled” for GCP using GCP console, follow the below steps:
  1. Open the GCP console and navigate to the BigQuery service.
  2. Click on the “Navigation Menu” icon on the top-left corner of the console.
  3. From the menu, select “BigQuery”.
  4. In the BigQuery console, click on the “Settings” icon on the left-hand side panel.
  5. Click on the “Audit logs” tab.
  6. Under the “Audit logs” tab, click on the “Configure” button.
  7. In the “Configure audit logs” window, select the checkbox next to “Data access”.
  8. Select the checkbox next to “Cloud audit logs”.
  9. Click on the “Save” button.
  10. Once the configuration is saved, the user activity logging for BigQuery is enabled.
Note: It is recommended to create a log sink to export the logs to a centralized logging system for further analysis.

To remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled” for GCP using GCP CLI, follow the below steps:Step 1: Open the command prompt or terminal on your local machine.Step 2: Authenticate to your GCP account using the below command:
gcloud auth login
Step 3: Set the project to the project for which you want to enable user activity logging using the below command:
gcloud config set project [PROJECT_ID]
Step 4: Enable the BigQuery API using the below command:
gcloud services enable bigquery.googleapis.com
Step 5: Enable user activity logging for BigQuery using the below command:
gcloud logging sinks create [SINK_NAME] bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID] --log-filter='protoPayload.methodName="google.cloud.bigquery.v2.JobService.InsertJob"'
Note: Replace [SINK_NAME], [PROJECT_ID], and [DATASET_ID] with your desired values.Step 6: Verify that the user activity logging is enabled for BigQuery using the below command:
gcloud logging sinks describe [SINK_NAME]
This will display the details of the logging sink that you just created.By following these steps, you can remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled”, you can follow these steps:
  1. Open the GCP Console and navigate to the BigQuery service.
  2. Click on the “Logs” tab in the left-hand menu.
  3. Click on the “Audit Logs” tab.
  4. Click on the “Create Sink” button.
  5. Select the “BigQuery” destination.
  6. Choose the project and dataset where you want to store the audit logs.
  7. Click on the “Create Sink” button.
  8. Open the Cloud Shell or terminal on your local machine and install the Google Cloud SDK.
  9. Authenticate using your GCP account credentials by running the command gcloud auth login.
  10. Set the project ID by running the command gcloud config set project PROJECT_ID.
  11. Create a new Python file and import the necessary libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
  1. Initialize the Logging client:
logging_client = logging_v2.LoggingServiceV2Client()
  1. Define the BigQuery dataset ID and table ID where you want to store the audit logs:
dataset_id = 'DATASET_ID'
table_id = 'TABLE_ID'
  1. Define the Sink ID for the BigQuery sink:
sink_name = f"projects/{project_id}/sinks/{sink_id}"
  1. Create a new Sink object for the BigQuery sink:
sink = logging_v2.LogSink(
    name=sink_name,
    destination=destination,
    filter_=filter_,
    output_version_format=enums.LogSink.VersionFormat.V2,
    bigquery_options=bigquery_options
)
  1. Update the Sink configuration:
update_mask = logging_v2.field_mask.FieldMask(
    paths=["destination", "filter", "bigquery_options"]
)

response = logging_client.update_sink(
    request={
        "sink_name": sink_name,
        "sink": sink,
        "update_mask": update_mask,
    }
)
  1. Verify that the Sink configuration was updated successfully by checking the response:
print(f"Sink updated: {response}")
  1. Run the Python script to remediate the misconfiguration.
These steps will enable user activity logging for BigQuery on GCP and store the audit logs in a BigQuery dataset and table.

Additional Reading: