GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
GCP BigQuery Should Have User Activity Logging Enabled
More Info:
Ensure that BigQuery User Activity Audit Logging is configured properly across all projects.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP, GDPR, HIPAA, ISO27001
Triage and Remediation
Remediation
To remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled” for GCP using GCP console, follow the below steps:
-
Open the GCP console and navigate to the BigQuery service.
-
Click on the “Navigation Menu” icon on the top-left corner of the console.
-
From the menu, select “BigQuery”.
-
In the BigQuery console, click on the “Settings” icon on the left-hand side panel.
-
Click on the “Audit logs” tab.
-
Under the “Audit logs” tab, click on the “Configure” button.
-
In the “Configure audit logs” window, select the checkbox next to “Data access”.
-
Select the checkbox next to “Cloud audit logs”.
-
Click on the “Save” button.
-
Once the configuration is saved, the user activity logging for BigQuery is enabled.
Note: It is recommended to create a log sink to export the logs to a centralized logging system for further analysis.
To remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled” for GCP using GCP CLI, follow the below steps:
Step 1: Open the command prompt or terminal on your local machine.
Step 2: Authenticate to your GCP account using the below command:
gcloud auth login
Step 3: Set the project to the project for which you want to enable user activity logging using the below command:
gcloud config set project [PROJECT_ID]
Step 4: Enable the BigQuery API using the below command:
gcloud services enable bigquery.googleapis.com
Step 5: Enable user activity logging for BigQuery using the below command:
gcloud logging sinks create [SINK_NAME] bigquery.googleapis.com/projects/[PROJECT_ID]/datasets/[DATASET_ID] --log-filter='protoPayload.methodName="google.cloud.bigquery.v2.JobService.InsertJob"'
Note: Replace [SINK_NAME], [PROJECT_ID], and [DATASET_ID] with your desired values.
Step 6: Verify that the user activity logging is enabled for BigQuery using the below command:
gcloud logging sinks describe [SINK_NAME]
This will display the details of the logging sink that you just created.
By following these steps, you can remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “GCP BigQuery Should Have User Activity Logging Enabled”, you can follow these steps:
- Open the GCP Console and navigate to the BigQuery service.
- Click on the “Logs” tab in the left-hand menu.
- Click on the “Audit Logs” tab.
- Click on the “Create Sink” button.
- Select the “BigQuery” destination.
- Choose the project and dataset where you want to store the audit logs.
- Click on the “Create Sink” button.
- Open the Cloud Shell or terminal on your local machine and install the Google Cloud SDK.
- Authenticate using your GCP account credentials by running the command
gcloud auth login. - Set the project ID by running the command
gcloud config set project PROJECT_ID. - Create a new Python file and import the necessary libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
- Initialize the Logging client:
logging_client = logging_v2.LoggingServiceV2Client()
- Define the BigQuery dataset ID and table ID where you want to store the audit logs:
dataset_id = 'DATASET_ID'
table_id = 'TABLE_ID'
- Define the Sink ID for the BigQuery sink:
sink_name = f"projects/{project_id}/sinks/{sink_id}"
- Create a new Sink object for the BigQuery sink:
sink = logging_v2.LogSink(
name=sink_name,
destination=destination,
filter_=filter_,
output_version_format=enums.LogSink.VersionFormat.V2,
bigquery_options=bigquery_options
)
- Update the Sink configuration:
update_mask = logging_v2.field_mask.FieldMask(
paths=["destination", "filter", "bigquery_options"]
)
response = logging_client.update_sink(
request={
"sink_name": sink_name,
"sink": sink,
"update_mask": update_mask,
}
)
- Verify that the Sink configuration was updated successfully by checking the response:
print(f"Sink updated: {response}")
- Run the Python script to remediate the misconfiguration.
These steps will enable user activity logging for BigQuery on GCP and store the audit logs in a BigQuery dataset and table.