Cloud Sql Data Access Audit Logging Should Be Enabled

More Info:

Ensure that Cloud SQL Data Access Logging is configured properly across all users from a project.

Risk Level

Low

Address

Security

Compliance Standards

NIST, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Cloud SQL Data Access Audit Logging Should Be Enabled” in GCP using GCP CLI, follow these steps:

Open the Cloud Shell in the GCP Console.
Run the following command to enable audit logging for Cloud SQL:

gcloud sql instances patch [INSTANCE_NAME] --enable-audit-log

Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.

Verify that audit logging is enabled by running the following command:

gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.auditLogConfig)"

This command should return the audit log configuration for your Cloud SQL instance.

If you want to disable audit logging for Cloud SQL, run the following command:

gcloud sql instances patch [INSTANCE_NAME] --no-enable-audit-log

This will disable audit logging for your Cloud SQL instance.Note: Enabling audit logging for Cloud SQL can generate a significant amount of logs, which can impact performance and incur additional costs. It is recommended to configure log retention policies to manage the log data.

Using Python

To remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using python, please follow the below steps:

Create a Cloud SQL instance object using the google.cloud.sql_v1beta4 library in python:

from google.cloud import sql_v1beta4
from google.cloud.sql_v1beta4 import enums

project_id = "your-project-id"
instance_id = "your-instance-id"
client = sql_v1beta4.SqlInstancesServiceClient()
instance_path = client.instance_path(project_id, instance_id)
instance = client.get(instance_path)

Check if the audit logs are enabled for the Cloud SQL instance:

if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "OFF":
    print("Cloud SQL data access audit logging is not enabled.")
else:
    print("Cloud SQL data access audit logging is already enabled.")

If the audit logs are not enabled, enable them using the patch method:

if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "OFF":
    instance.settings.database_flags["cloud_sql_data_access_audit_logs"] = "ON"
    update_mask = {"paths": ["settings.database_flags.cloud_sql_data_access_audit_logs"]}
    operation = client.patch(instance=instance, update_mask=update_mask, instance=instance)
    operation.result()
    print("Cloud SQL data access audit logging has been enabled.")
else:
    print("Cloud SQL data access audit logging is already enabled.")

Verify that the audit logs are enabled:

instance = client.get(instance_path)
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "ON":
    print("Cloud SQL data access audit logging is now enabled.")
else:
    print("Cloud SQL data access audit logging could not be enabled.")

These steps will remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using python.

Additional Reading:

https://cloud.google.com/sql/docs/mysql/audit-logging#available-logs

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Cloud Sql Data Access Audit Logging Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: