GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud CDN Regional Backend Services Should Have Logging Enabled
More Info:
Cloud CDN regional backend services should have request logging enabled. Logging requests to Cloud CDN endpoints is a helpful way of detecting and investigating potential attacks.
Risk Level
Low
Address
Security, Operational Maturity
Compliance Standards
GDPR, HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration of “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP using the GCP console, follow the below steps:
- Open the Google Cloud Console and navigate to the Cloud CDN page.
- Select the name of the CDN that you want to remediate.
- In the left-hand menu, select the “Backend services” option.
- Click on the name of the backend service that you want to remediate.
- In the backend service page, scroll down to the “Cloud Logging” section.
- Click on the “Add Log Sink” button.
- In the “Create Sink” page, enter a name for the log sink.
- In the “Sink Service” section, select “Cloud Logging”.
- In the “Sink Destination” section, select the destination where you want to send the logs.
- In the “Filter” section, specify the filter criteria for the logs that you want to send to the destination.
- Click on the “Create” button to create the log sink.
Once the log sink is created, all the logs generated by the backend service will be sent to the specified destination. This will remediate the misconfiguration of “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP.
To remediate the misconfiguration “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP using GCP CLI, follow the below steps:
-
Open the Google Cloud SDK Shell and connect to your GCP project using the command:
gcloud init -
Enable the Cloud CDN API using the command:
gcloud services enable compute.googleapis.com -
Create a logging sink using the command:
gcloud logging sinks create [SINK_NAME] storage.googleapis.com/[BUCKET_NAME] --log-filter='resource.type="http_load_balancer" AND resource.labels.forwarding_rule_name="[FORWARDING_RULE_NAME]"'Replace
[SINK_NAME]with a name for your logging sink,[BUCKET_NAME]with the name of the GCP storage bucket where you want to store the logs, and[FORWARDING_RULE_NAME]with the name of the forwarding rule associated with the regional backend service. -
Grant the
logging.logWriterIAM role to the Cloud Logging service account using the command:gcloud projects add-iam-policy-binding [PROJECT_ID] --member='serviceAccount:[SINK_NAME]@[PROJECT_ID].iam.gserviceaccount.com' --role='roles/logging.logWriter'Replace
[PROJECT_ID]with your GCP project ID and[SINK_NAME]with the name of your logging sink. -
Update the regional backend service to enable logging using the command:
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --enable-cdn-logging --cdn-logging-sink=[SINK_NAME]Replace
[BACKEND_SERVICE_NAME]with the name of the regional backend service and[SINK_NAME]with the name of the logging sink created in step 3. -
Verify that logging is enabled for the regional backend service by checking the logs in the GCP storage bucket specified in step 3.
To remediate the misconfiguration “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP using Python, you can follow the below steps:
Step 1: Import the necessary libraries
from googleapiclient.discovery import build
from google.oauth2 import service_account
Step 2: Set up the authentication credentials
credentials = service_account.Credentials.from_service_account_file('<path_to_service_account_file>')
project_id = '<your_project_id>'
Step 3: Create a function to enable logging for the backend service
def enable_backend_service_logging(service_name, backend_service_name):
service = build('compute', 'v1', credentials=credentials)
backend_service = service.backendServices().get(project=project_id, backendService=backend_service_name).execute()
backend_service['logConfig'] = {
'enable': True,
'sampleRate': 1.0
}
response = service.backendServices().update(project=project_id, backendService=backend_service_name, body=backend_service).execute()
print(f'Logging enabled for backend service {backend_service_name}')
Step 4: Call the function with the appropriate parameters
enable_backend_service_logging('compute', '<backend_service_name>')
Note: Replace <path_to_service_account_file>, <your_project_id>, and <backend_service_name> with the appropriate values.