GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud Functions Logging Should Be Enabled
More Info:
DATA_READ, DATA_WRITE and ADMIN_READ logs should be enabled on Cloud Functions
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
CISGCP, CBP, GDPR, HIPAA, ISO27001
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud Functions Logging Should Be Enabled” for GCP using GCP console, follow the steps below:
- Open the Google Cloud Console and select the project where the Cloud Function is located.
- Navigate to the Cloud Functions page by selecting “Cloud Functions” from the left-hand menu.
- Select the Cloud Function for which you want to enable logging.
- Click on the “Edit” button on the top of the page to edit the Cloud Function settings.
- Scroll down to the “Logging” section and click on the “Enable” button to enable logging for the Cloud Function.
- Choose the desired log level and log retention period.
- Click on the “Save” button to save the changes.
Once logging is enabled for the Cloud Function, you will be able to see the logs in the Stackdriver Logging Console.
To remediate the misconfiguration of “Cloud Functions Logging Should Be Enabled” in GCP using GCP CLI, follow the below steps:
Step 1: Open the Google Cloud SDK Shell or any other terminal.
Step 2: Run the following command to enable logging for all Cloud Functions in the current project:
gcloud functions deploy FUNCTION_NAME --enable-logging
Note: Replace FUNCTION_NAME with the name of the function for which you want to enable logging.
Step 3: Verify that the logging is enabled for the Cloud Function by running the following command:
gcloud functions describe FUNCTION_NAME
Note: Replace FUNCTION_NAME with the name of the function for which you enabled logging.
Step 4: Look for the loggingEnabled field in the output of the above command. It should be set to true indicating that logging is enabled for the Cloud Function.
Step 5: Repeat the above steps for all the Cloud Functions in the project to ensure that logging is enabled for all of them.
By following these steps, you can remediate the misconfiguration of “Cloud Functions Logging Should Be Enabled” in GCP using GCP CLI.
To remediate the misconfiguration “Cloud Functions Logging Should Be Enabled” in GCP using Python, follow these steps:
- Open the Google Cloud Console and go to the Cloud Functions section.
- Select the function for which you want to enable logging.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Logging” section and click on the “Enable” button.
- Select the log level you want to enable (e.g., “Debug”, “Info”, “Warning”, “Error”, or “Critical”).
- Click on the “Save” button to save the changes.
Alternatively, you can use the gcloud command-line tool to enable logging for the function. Here’s an example command:
gcloud functions update FUNCTION_NAME --log-http --verbosity=debug
Replace FUNCTION_NAME with the name of your function. The --log-http flag enables HTTP request logging, and the --verbosity flag sets the log level to “debug”. You can change the log level as needed.
Once you’ve enabled logging for the function, you can view the logs in the Cloud Logging section of the Google Cloud Console.