More Info:

Ensures that logging and log alerts exist for audit configuration changes. Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, CISGCP, CBP, HITRUST, GDPR, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” on GCP using the GCP console, you can follow these steps:
  1. Open the GCP console and navigate to the Cloud Logging page.
  2. Click on “Logs-based Metrics” in the left-hand menu.
  3. Click on “Create Metric” to create a new metric.
  4. Give your metric a name and description, and set the filter to the following: 
    resource.type="project"
protoPayload.methodName="SetIamPolicy"
    This filter will match any changes to the IAM policy for your project.
  5. Under “Configuration”, select “Create Alert from Metric”.
  6. Configure your alert as desired, including the notification channels you want to use.
  7. Save your alert.
By following these steps, you will have enabled Audit Configuration Change Log Alerts on GCP, allowing you to be notified whenever changes are made to your project’s IAM policy.

To remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using GCP CLI, please follow the below steps:
  1. Open the GCP Cloud console and navigate to the Security Command Center.
  2. Click on the “Security Health Analytics” tab and select “Audit Configuration Change Log Alerts” from the list of security checks.
  3. If the check is failed, click on the “Remediate” button.
  4. In the “Remediation” dialog box, select the “GCP CLI” option.
  5. Open the Cloud Shell in the GCP console.
  6. Run the following command to enable the audit configuration change log alerts:
gcloud logging sinks create [SINK_NAME] storage.googleapis.com/[BUCKET_NAME] --log-filter='resource.type="audited_resource" AND protoPayload.methodName="google.cloud.audit.AuditLogService.UpdateConfig"'
Note: Replace [SINK_NAME] with a name for the sink and [BUCKET_NAME] with the name of the destination bucket.
  1. After running the above command, verify that the audit configuration change log alerts are enabled by running the following command:
gcloud logging sinks describe [SINK_NAME]
  1. Check the output of the above command to ensure that the “logFilter” parameter is set to resource.type="audited_resource" AND protoPayload.methodName="google.cloud.audit.AuditLogService.UpdateConfig".
Once the above steps are completed, the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using GCP CLI will be remediated.
To remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using Python, you can follow these steps:
  1. Install the Google Cloud SDK and authenticate with your GCP account using the following command:
gcloud auth login
  1. Install the required Python libraries using the following command:
pip install google-cloud-logging google-auth google-auth-oauthlib google-auth-httplib2
  1. Create a new Python script and import the required libraries:
from google.cloud import logging_v2
from google.oauth2 import service_account
  1. Create a service account with the necessary permissions to access the logs using the GCP Console.
  2. Create a credentials object using the service account key file: 
credentials = service_account.Credentials.from_service_account_file('path/to/keyfile.json')
  1. Create a Logging client object:
client = logging_v2.LoggingServiceV2Client(credentials=credentials)
  1. Retrieve the current configuration for the project’s logging sink:
project_id = 'your-project-id'
sink_name = 'sink-name'
sink = client.get_sink(f"projects/{project_id}/sinks/{sink_name}")
  1. Modify the configuration to enable audit configuration change log alerts:
sink.filter = 'logName:cloudaudit.googleapis.com%2Factivity AND protoPayload.methodName:google.cloud.resourcemanager.v1.Projects.Update'
sink.output_version_format = 'V2'
sink.writer_identity = 'serviceAccount:[email protected]'
sink.include_children = True
sink.create_time = None
sink.update_time = None

response = client.update_sink(sink_name, sink, unique_writer_identity=True)
  1. Verify that the configuration has been updated by checking the sink’s properties:
print(response)
This should remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using Python.

Additional Reading: