GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Enforce Detailed Audit Logging Mode
More Info:
Ensure that “Google Cloud Platform - Detailed Audit Logging Mode” policy is enforced at the organization level in order to enable Detailed Audit Logging feature for the supported Cloud Storage resources available within your GCP organization.
Risk Level
Medium
Address
Operational Maturity, Reliability, Security
Compliance Standards
CISGCP, CBP, GDPR, HIPAA, ISO27001
Triage and Remediation
Remediation
To remediate the misconfiguration of not enforcing detailed audit logging mode in GCP, you can follow the steps below using the GCP console:
-
Log in to your Google Cloud Console.
-
Navigate to the “Logging” page by clicking on the hamburger menu on the top left corner of the page and selecting “Logging” under the “TOOLS” section.
-
Click on “Log Router” on the left-hand side of the page.
-
Click on “Create Sink” at the top of the page.
-
In the “Create Sink” page, enter a name for the sink in the “Name” field.
-
In the “Sink Service” field, select the service you want to enable detailed audit logging for. For example, you can select “Cloud Storage”.
-
In the “Sink Destination” field, select “BigQuery” or “Cloud Pub/Sub” as the destination for the logs.
-
In the “Sink Filter” field, enter the filter expression to specify the logs you want to collect. For example, you can enter “protoPayload.serviceName=storage.googleapis.com” to collect logs related to Cloud Storage.
-
Click on “Create Sink” to create the sink.
-
Repeat steps 4 to 9 for each service you want to enable detailed audit logging for.
By following these steps, you will have enabled detailed audit logging mode for the selected GCP services and can now monitor and analyze the logs for security and compliance purposes.
To remediate the misconfiguration “Enforce Detailed Audit Logging Mode” for GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP Console.
- Run the following command to enable audit logging for all services in the current project:
gcloud alpha logging configs create --project [PROJECT_ID] --service all --data-access all --log-type audit --exempted-members user:[USER_EMAIL]
Note: Replace [PROJECT_ID] with the ID of your GCP project and [USER_EMAIL] with the email address of the user who should be exempted from audit logging.
- Run the following command to verify that audit logging is enabled:
gcloud alpha logging configs describe --project [PROJECT_ID] --config-type data-access --config-name all
This command should return the configuration details for audit logging.
- Run the following command to enable enforced audit logging mode:
gcloud alpha logging configs update --project [PROJECT_ID] --config-type data-access --config-name all --enforced true
This command will enable enforced audit logging mode for all services in the current project.
- Run the following command to verify that enforced audit logging mode is enabled:
gcloud alpha logging configs describe --project [PROJECT_ID] --config-type data-access --config-name all
This command should return the configuration details for enforced audit logging mode.
- Verify that audit logs are being generated for all services in the project by checking the audit logs in the Logging console.
By following these steps, you will remediate the misconfiguration “Enforce Detailed Audit Logging Mode” for GCP using GCP CLI.
To remediate the misconfiguration “Enforce Detailed Audit Logging Mode” in GCP using Python, you can follow the below steps:
Step 1: Install the necessary packages
pip install google-auth google-auth-oauthlib google-auth-httplib2 google-cloud-logging
Step 2: Set the project ID and the log sink name
project_id = "your-project-id"
sink_name = "your-sink-name"
Step 3: Create a client object for the Logging API
from google.cloud import logging_v2
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('path/to/service/account/key.json')
client = logging_v2.LoggingServiceV2Client(credentials=credentials)
Step 4: Create a sink filter to include all audit logs
filter = "logName:\"logs/cloudaudit.googleapis.com\""
Step 5: Create a sink object with the filter and destination
from google.cloud.logging_v2.types import LogSink
destination = f"bigquery.googleapis.com/projects/{project_id}/datasets/audit_logs"
sink = LogSink(
name=sink_name,
filter=filter,
destination=destination
)
Step 6: Create or update the sink in the project
from google.api_core.exceptions import AlreadyExists
try:
response = client.create_sink(
parent=f"projects/{project_id}",
sink=sink
)
print(f"Sink created: {response.name}")
except AlreadyExists:
response = client.update_sink(
sink_name,
sink,
update_mask=["filter", "destination"]
)
print(f"Sink updated: {response.name}")
Step 7: Verify that the sink is created and that audit logs are being exported
response = client.list_sinks(f"projects/{project_id}")
for sink in response:
print(sink.name)
This will create or update the sink in the project and start exporting all audit logs to BigQuery. You can verify that the sink is created and that audit logs are being exported by checking the output of the list_sinks method.