Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” in GCP using GCP console, you can follow the below steps:This filter will capture the logs for any changes made to custom roles.
- Open the GCP console and select the project for which you want to enable the Custom Role Change Log Alerts.
- Click on the “Navigation menu” on the top-left corner of the console and select “Logging” under the “TOOLS” section.
- In the Logging page, click on the “Create Sink” button.
- In the “Create Sink” page, provide a name for the sink in the “Name” field.
- In the “Sink Service” section, select “Cloud Pub/Sub” as the sink service.
- In the “Cloud Pub/Sub topic” field, select or create a new topic to which the logs will be sent.
- In the “Filter” section, add the following filter:
- Click on the “Create Sink” button to create the sink.
- Once the sink is created, click on the “Create Alert” button to create an alert based on the sink.
- In the “Create Alerting Policy” page, provide a name for the alert in the “Name” field.
- In the “Condition” section, click on the “Add Condition” button and select “Log-based Metric” as the condition type.
- In the “Log-based Metric” section, select the sink that you created in step 4.
- In the “Aggregation” section, select “Count” as the aggregation type and set the “Period” to 1 minute.
- In the “Filter” section, add the same filter that you added in step 7.
- In the “Configuration” section, set the “Threshold” to 1 and the “For” duration to 1 minute.
- In the “Notification Channels” section, select the notification channels to which you want to send the alerts.
- Click on the “Save” button to save the alerting policy.
Using CLI
Using CLI
To remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” for GCP using GCP CLI, you can follow the below steps:Note: Replace This command will list all the channels with the display name “Custom Role Change Log Alerts”.
- Open the Cloud Shell in your GCP console.
- Run the following command to enable the Custom Role Change Log Alerts:
<your-project-id> with your actual GCP project ID.- Run the following command to verify the Custom Role Change Log Alerts:
- If the above command returns a valid response, then the Custom Role Change Log Alerts have been successfully enabled.
Using Python
Using Python
To remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” in GCP using Python, you can follow the below steps:Note: Replace [SINK_NAME], [PROJECT_ID], and [TOPIC_NAME] with appropriate values.Note: Replace Note: Replace the TODO comment with the actual alerting logic.Note: Replace
- First, you need to check if the Stackdriver Logging API is enabled for the project. You can do this by running the following command in the Cloud Shell:
- If the Stackdriver Logging API is not enabled, you need to enable it by running the following command:
- Next, you need to create a sink to export the logs to Cloud Pub/Sub. You can do this by running the following command:
- After creating the sink, you need to grant the Pub/Sub Publisher role to the service account that will be used to create the sink. You can do this by running the following command:
<PROJECT_ID> and <SERVICE_ACCOUNT_EMAIL> with appropriate values.- Finally, you need to create a Cloud Function that will be triggered by the Pub/Sub topic and send an alert to the appropriate channels. You can use the following Python code as a starting point:
- Deploy the Cloud Function by running the following command:
<FUNCTION_NAME> and <TOPIC_NAME> with appropriate values.After following these steps, your GCP project should be remediated for the misconfiguration “Custom Role Change Log Alerts Should Be Enabled”.