GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud Sql Data Access Audit Logging Should Be Enabled
More Info:
Ensure that Cloud SQL Data Access Logging is configured properly across all users from a project.
Risk Level
Low
Address
Security
Compliance Standards
NIST, HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using GCP console, please follow the below steps:
- Login to the Google Cloud Console.
- Navigate to the Cloud SQL instances page.
- Select the instance for which you want to enable audit logging.
- Click on the “Edit” button at the top of the page.
- Scroll down to the “Additional settings” section and click on it.
- Under the “Audit logging” section, select the checkbox next to “Audit logs” to enable audit logging.
- Choose the destination bucket where logs should be stored.
- Click on the “Save” button to save the changes.
After completing these steps, audit logs for Cloud SQL data access will be enabled and stored in the specified destination bucket.
To remediate the misconfiguration “Cloud SQL Data Access Audit Logging Should Be Enabled” in GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP Console.
- Run the following command to enable audit logging for Cloud SQL:
gcloud sql instances patch [INSTANCE_NAME] --enable-audit-log
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
- Verify that audit logging is enabled by running the following command:
gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.auditLogConfig)"
This command should return the audit log configuration for your Cloud SQL instance.
- If you want to disable audit logging for Cloud SQL, run the following command:
gcloud sql instances patch [INSTANCE_NAME] --no-enable-audit-log
This will disable audit logging for your Cloud SQL instance.
Note: Enabling audit logging for Cloud SQL can generate a significant amount of logs, which can impact performance and incur additional costs. It is recommended to configure log retention policies to manage the log data.
To remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using python, please follow the below steps:
- Create a Cloud SQL instance object using the
google.cloud.sql_v1beta4library in python:
from google.cloud import sql_v1beta4
from google.cloud.sql_v1beta4 import enums
project_id = "your-project-id"
instance_id = "your-instance-id"
client = sql_v1beta4.SqlInstancesServiceClient()
instance_path = client.instance_path(project_id, instance_id)
instance = client.get(instance_path)
- Check if the audit logs are enabled for the Cloud SQL instance:
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "OFF":
print("Cloud SQL data access audit logging is not enabled.")
else:
print("Cloud SQL data access audit logging is already enabled.")
- If the audit logs are not enabled, enable them using the
patchmethod:
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "OFF":
instance.settings.database_flags["cloud_sql_data_access_audit_logs"] = "ON"
update_mask = {"paths": ["settings.database_flags.cloud_sql_data_access_audit_logs"]}
operation = client.patch(instance=instance, update_mask=update_mask, instance=instance)
operation.result()
print("Cloud SQL data access audit logging has been enabled.")
else:
print("Cloud SQL data access audit logging is already enabled.")
- Verify that the audit logs are enabled:
instance = client.get(instance_path)
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "ON":
print("Cloud SQL data access audit logging is now enabled.")
else:
print("Cloud SQL data access audit logging could not be enabled.")
These steps will remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using python.