GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud Audit Logging Should Be Enabled
More Info:
Ensure that Cloud Audit Logging is configured properly across all services and all users from a project.
Risk Level
Medium
Address
Security
Compliance Standards
CISGCP, CBP, GDPR, NIST, HIPAA, ISO27001, SOC2, NISTCSF, PCIDSS, FedRAMP
Triage and Remediation
Remediation
To remediate the “Cloud Audit Logging Should Be Enabled” misconfiguration for GCP using the GCP console, follow the steps below:
-
Open the GCP Console and navigate to the project for which you want to enable audit logging.
-
Click on the “Navigation Menu” button in the top left corner of the console and select “Logging” under the “TOOLS” section.
-
In the Logging page, click on the “Log-based Metrics” tab.
-
Click on the ”+ CREATE METRIC” button to create a new metric.
-
In the “Create a Metric” page, enter a name for the metric (e.g., “audit-logs”), select “Admin Activity” under the “Log” dropdown menu, and select “Global” under the “Resource type” dropdown menu.
-
Click on the “CREATE METRIC” button to create the metric.
-
Click on the “Create Sink” button to create a new sink.
-
In the “Create a Sink” page, enter a name for the sink (e.g., “audit-logs-sink”), select “BigQuery” under the “Sink Service” dropdown menu, and select the destination dataset and table where you want to store the audit logs.
-
Click on the “CREATE SINK” button to create the sink.
-
Click on the “View Sink” button to view the sink details.
-
In the sink details page, click on the “EDIT” button to edit the sink configuration.
-
In the “Edit a Sink” page, select “Include All Logs” under the “Filter” section and select the metric you created earlier under the “Log Metric” section.
-
Click on the “SAVE” button to save the sink configuration.
-
You have now enabled audit logging for your GCP project. The audit logs will be stored in the destination BigQuery table you specified in the sink configuration.
To remediate the misconfiguration “Cloud Audit Logging should be enabled” for GCP using GCP CLI, follow the below steps:
-
Open the Cloud Shell in the GCP console or install the GCP CLI on your local machine.
-
Run the following command to enable Cloud Audit Logging for all services in your project:
gcloud logging project-config set \
audit_configs: \
- service: allServices \
audit_log_configs: \
- log_type: ADMIN_READ \
exempted_members: \
- user:[email protected] \
- group:[email protected] \
- domain:example.com \
- log_type: DATA_READ \
- log_type: DATA_WRITE \
-
Replace the exempted_members field with the email addresses or domains of the users or groups that should be exempt from audit logging.
-
Run the following command to verify that Cloud Audit Logging is enabled:
gcloud logging project-config describe
- Check the output for the following line:
"cloudAuditLogsEnabled": true
If the value is true, then Cloud Audit Logging is enabled for your project.
By following these steps, you can successfully remediate the misconfiguration “Cloud Audit Logging should be enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Cloud Audit Logging Should Be Enabled” for GCP using Python, you can follow the below steps:
- Import the required libraries:
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
- Authenticate and create a client object:
credentials = GoogleCredentials.get_application_default()
service = discovery.build('logging', 'v2', credentials=credentials)
- Create a sink object for the logs to be collected:
sink_name = 'my-sink'
destination_uri = 'storage.googleapis.com/my-bucket'
filter = 'logName:syslog'
sink = {
'name': sink_name,
'destination': destination_uri,
'filter': filter
}
- Check if the sink already exists:
sinks = service.sinks().list(project='my-project-id').execute()
if sink_name in [s['name'] for s in sinks['sinks']]:
print(f"Sink {sink_name} already exists.")
else:
# Create the sink
service.sinks().create(
body=sink,
parent=f"projects/my-project-id"
).execute()
print(f"Sink {sink_name} created.")
- Enable audit logging for the project:
service.projects().updateAuditConfig(
body={
'auditConfig': {
'service': 'allServices',
'auditLogConfigs': [{
'logName': 'projects/my-project-id/logs/cloudaudit.googleapis.com',
'exemptedMembers': [],
'ignoreChildExemptions': True,
'enabled': True
}]
}
},
resource='projects/my-project-id'
).execute()
This will enable audit logging for the GCP project and create a sink to collect the logs in a specified bucket. You can modify the sink name, destination URI, and filter as per your requirement.