GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Global Backend Services Should Have Logging Enabled
More Info:
Cloud CDN global backend services should have request logging enabled. Logging requests to Cloud CDN endpoints is a helpful way of detecting and investigating potential attacks.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
GDPR, HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of “Cloud CDN Global Backend Services Should Have Logging Enabled” for GCP using GCP console, please follow the below steps:
- Open the Google Cloud Console and select the project where the Cloud CDN is configured.
- Select the “Navigation menu” on the top-left corner of the console and navigate to “Networking” -> “Cloud CDN”.
- Click on the name of the backend service that you want to remediate.
- In the backend service details page, click on the “Edit” button at the top of the page.
- Scroll down to the “Logging” section and click on the “Enable logging” checkbox.
- Select the “Cloud Storage bucket” where you want to store the logs.
- Choose a “Log format” from the drop-down list. You can choose either “JSON” or “Legacy”.
- Click on the “Save” button to save the changes.
Once the changes are saved, the Cloud CDN global backend service will have logging enabled, and the logs will be stored in the specified Cloud Storage bucket.
To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Logging Enabled” for GCP using GCP CLI, you can follow the below steps:
-
Open the GCP console and navigate to the Cloud CDN page.
-
Select the backend service for which you want to enable logging.
-
Click on the “Edit” button at the top of the page.
-
Scroll down to the “Logging” section and click on the drop-down menu.
-
Select the desired logging destination from the available options, such as Cloud Logging or Cloud Storage.
-
If you select Cloud Storage, provide a bucket name and a prefix for the logs.
-
Click on the “Save” button to apply the changes.
Alternatively, you can use GCP CLI to enable logging for a backend service by following the below steps:
-
Open the GCP Cloud Shell.
-
Run the following command to enable logging for a backend service:
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --global-log-config enable-logging --global-log-config-name [LOG_NAME] --global-log-config-sample-rate [SAMPLE_RATE]
Replace the [BACKEND_SERVICE_NAME] with the name of your backend service, [LOG_NAME] with the name of the log, and [SAMPLE_RATE] with the sample rate for the logs.
-
Press Enter to execute the command.
-
Verify the logging configuration by running the following command:
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] --format="get(logConfig.enabled)"
This will return “True” if logging is enabled for the backend service.
By following these steps, you can remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Logging Enabled” for GCP using GCP CLI.
To remediate the misconfiguration of Cloud CDN Global Backend Services not having logging enabled for GCP using Python, you can follow these steps:
-
First, you need to enable Cloud Logging API for your GCP project. You can do this by going to the Cloud Console and navigating to APIs & Services > Dashboard. Then click on the Enable APIs and Services button and search for “Cloud Logging API”. Enable it for your project.
-
Next, you need to create a Cloud Logging sink to export the logs from Cloud CDN to Cloud Logging. You can do this using the
google-cloud-loggingPython library. Here is an example code snippet to create a sink:
from google.cloud import logging_v2
client = logging_v2.LoggingServiceV2Client()
project_id = "your-project-id"
sink_name = "cdn-logs-sink"
destination = f"logging.googleapis.com/projects/{project_id}/logs/cdn"
parent = f"projects/{project_id}"
sink = {
"name": sink_name,
"destination": destination,
"filter": "resource.type=http_load_balancer AND log_name=projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity",
}
response = client.create_sink(parent, sink)
print(f"Created sink: {response.name}")
Replace your-project-id with your actual GCP project ID. This code will create a sink named “cdn-logs-sink” that exports logs from Cloud CDN to a log named “cdn” in Cloud Logging.
- Finally, you need to configure your Cloud CDN backend service to use the Cloud Logging sink you just created. You can do this using the
google-cloud-cdnPython library. Here is an example code snippet to update a backend service:
from google.cloud import cdn_v1beta1
client = cdn_v1beta1.BackendServicesClient()
backend_service_name = "your-backend-service-name"
project_id = "your-project-id"
log_sink = f"logging.googleapis.com/projects/{project_id}/sinks/cdn-logs-sink"
backend_service = client.get_backend_service(request={"backend_service": backend_service_name})
backend_service.log_config.enabled = True
backend_service.log_config.sink = log_sink
update_mask = {"paths": ["log_config.enabled", "log_config.sink"]}
response = client.update_backend_service(request={"backend_service": backend_service, "update_mask": update_mask})
print(f"Updated backend service: {response}")
Replace your-backend-service-name and your-project-id with your actual backend service name and GCP project ID. This code will enable logging for the backend service and set the log sink to the one you created earlier.
After running these steps, your Cloud CDN backend service should have logging enabled and the logs should be exported to Cloud Logging.