More Info:

Cloud CDN global backend services should have request logging enabled. Logging requests to Cloud CDN endpoints is a helpful way of detecting and investigating potential attacks.

Risk Level

Low

Address

Security, Operational Maturity

Compliance Standards

GDPR, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of “Cloud CDN Global Backend Services Should Have Logging Enabled” for GCP using GCP console, please follow the below steps:
  1. Open the Google Cloud Console and select the project where the Cloud CDN is configured.
  2. Select the “Navigation menu” on the top-left corner of the console and navigate to “Networking” -> “Cloud CDN”.
  3. Click on the name of the backend service that you want to remediate.
  4. In the backend service details page, click on the “Edit” button at the top of the page.
  5. Scroll down to the “Logging” section and click on the “Enable logging” checkbox.
  6. Select the “Cloud Storage bucket” where you want to store the logs.
  7. Choose a “Log format” from the drop-down list. You can choose either “JSON” or “Legacy”.
  8. Click on the “Save” button to save the changes.
Once the changes are saved, the Cloud CDN global backend service will have logging enabled, and the logs will be stored in the specified Cloud Storage bucket.

To remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Logging Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the GCP console and navigate to the Cloud CDN page.
  2. Select the backend service for which you want to enable logging.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Logging” section and click on the drop-down menu.
  5. Select the desired logging destination from the available options, such as Cloud Logging or Cloud Storage.
  6. If you select Cloud Storage, provide a bucket name and a prefix for the logs.
  7. Click on the “Save” button to apply the changes.
Alternatively, you can use GCP CLI to enable logging for a backend service by following the below steps:
  1. Open the GCP Cloud Shell.
  2. Run the following command to enable logging for a backend service: 
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --global-log-config enable-logging --global-log-config-name [LOG_NAME] --global-log-config-sample-rate [SAMPLE_RATE]
Replace the [BACKEND_SERVICE_NAME] with the name of your backend service, [LOG_NAME] with the name of the log, and [SAMPLE_RATE] with the sample rate for the logs.
  1. Press Enter to execute the command.
  2. Verify the logging configuration by running the following command: 
gcloud compute backend-services describe [BACKEND_SERVICE_NAME] --format="get(logConfig.enabled)"
This will return “True” if logging is enabled for the backend service.By following these steps, you can remediate the misconfiguration “Cloud CDN Global Backend Services Should Have Logging Enabled” for GCP using GCP CLI.
To remediate the misconfiguration of Cloud CDN Global Backend Services not having logging enabled for GCP using Python, you can follow these steps:
  1. First, you need to enable Cloud Logging API for your GCP project. You can do this by going to the Cloud Console and navigating to APIs & Services > Dashboard. Then click on the Enable APIs and Services button and search for “Cloud Logging API”. Enable it for your project.
  2. Next, you need to create a Cloud Logging sink to export the logs from Cloud CDN to Cloud Logging. You can do this using the google-cloud-logging Python library. Here is an example code snippet to create a sink: 
from google.cloud import logging_v2

client = logging_v2.LoggingServiceV2Client()
project_id = "your-project-id"
sink_name = "cdn-logs-sink"
destination = f"logging.googleapis.com/projects/{project_id}/logs/cdn"

parent = f"projects/{project_id}"
sink = {
    "name": sink_name,
    "destination": destination,
    "filter": "resource.type=http_load_balancer AND log_name=projects/your-project-id/logs/cloudaudit.googleapis.com%2Factivity",
}

response = client.create_sink(parent, sink)
print(f"Created sink: {response.name}")
Replace your-project-id with your actual GCP project ID. This code will create a sink named “cdn-logs-sink” that exports logs from Cloud CDN to a log named “cdn” in Cloud Logging.
  1. Finally, you need to configure your Cloud CDN backend service to use the Cloud Logging sink you just created. You can do this using the google-cloud-cdn Python library. Here is an example code snippet to update a backend service:
from google.cloud import cdn_v1beta1

client = cdn_v1beta1.BackendServicesClient()
backend_service_name = "your-backend-service-name"
project_id = "your-project-id"
log_sink = f"logging.googleapis.com/projects/{project_id}/sinks/cdn-logs-sink"

backend_service = client.get_backend_service(request={"backend_service": backend_service_name})
backend_service.log_config.enabled = True
backend_service.log_config.sink = log_sink

update_mask = {"paths": ["log_config.enabled", "log_config.sink"]}
response = client.update_backend_service(request={"backend_service": backend_service, "update_mask": update_mask})
print(f"Updated backend service: {response}")
Replace your-backend-service-name and your-project-id with your actual backend service name and GCP project ID. This code will enable logging for the backend service and set the log sink to the one you created earlier.After running these steps, your Cloud CDN backend service should have logging enabled and the logs should be exported to Cloud Logging.

Additional Reading: