Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP using the GCP console, follow the below steps:
- Open the Google Cloud Console and navigate to the Cloud CDN page.
- Select the name of the CDN that you want to remediate.
- In the left-hand menu, select the “Backend services” option.
- Click on the name of the backend service that you want to remediate.
- In the backend service page, scroll down to the “Cloud Logging” section.
- Click on the “Add Log Sink” button.
- In the “Create Sink” page, enter a name for the log sink.
- In the “Sink Service” section, select “Cloud Logging”.
- In the “Sink Destination” section, select the destination where you want to send the logs.
- In the “Filter” section, specify the filter criteria for the logs that you want to send to the destination.
- Click on the “Create” button to create the log sink.
Using CLI
Using CLI
To remediate the misconfiguration “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP using GCP CLI, follow the below steps:
-
Open the Google Cloud SDK Shell and connect to your GCP project using the command:
gcloud init -
Enable the Cloud CDN API using the command:
gcloud services enable compute.googleapis.com -
Create a logging sink using the command:
gcloud logging sinks create [SINK_NAME] storage.googleapis.com/[BUCKET_NAME] --log-filter='resource.type="http_load_balancer" AND resource.labels.forwarding_rule_name="[FORWARDING_RULE_NAME]"'Replace[SINK_NAME]with a name for your logging sink,[BUCKET_NAME]with the name of the GCP storage bucket where you want to store the logs, and[FORWARDING_RULE_NAME]with the name of the forwarding rule associated with the regional backend service. -
Grant the
logging.logWriterIAM role to the Cloud Logging service account using the command:gcloud projects add-iam-policy-binding [PROJECT_ID] --member='serviceAccount:[SINK_NAME]@[PROJECT_ID].iam.gserviceaccount.com' --role='roles/logging.logWriter'Replace[PROJECT_ID]with your GCP project ID and[SINK_NAME]with the name of your logging sink. -
Update the regional backend service to enable logging using the command:
gcloud compute backend-services update [BACKEND_SERVICE_NAME] --enable-cdn-logging --cdn-logging-sink=[SINK_NAME]Replace[BACKEND_SERVICE_NAME]with the name of the regional backend service and[SINK_NAME]with the name of the logging sink created in step 3. - Verify that logging is enabled for the regional backend service by checking the logs in the GCP storage bucket specified in step 3.
Using Python
Using Python
To remediate the misconfiguration “Cloud CDN Regional Backend Services Should Have Logging Enabled” for GCP using Python, you can follow the below steps:Step 1: Import the necessary librariesStep 2: Set up the authentication credentialsStep 3: Create a function to enable logging for the backend serviceStep 4: Call the function with the appropriate parametersNote: Replace
<path_to_service_account_file>, <your_project_id>, and <backend_service_name> with the appropriate values.