More Info:

Ensure that Cloud SQL Data Access Logging is configured properly across all users from a project.

Risk Level

Low

Address

Security

Compliance Standards

NIST, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using GCP console, please follow the below steps:
  1. Login to the Google Cloud Console.
  2. Navigate to the Cloud SQL instances page.
  3. Select the instance for which you want to enable audit logging.
  4. Click on the “Edit” button at the top of the page.
  5. Scroll down to the “Additional settings” section and click on it.
  6. Under the “Audit logging” section, select the checkbox next to “Audit logs” to enable audit logging.
  7. Choose the destination bucket where logs should be stored.
  8. Click on the “Save” button to save the changes.
After completing these steps, audit logs for Cloud SQL data access will be enabled and stored in the specified destination bucket.

To remediate the misconfiguration “Cloud SQL Data Access Audit Logging Should Be Enabled” in GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to enable audit logging for Cloud SQL:
gcloud sql instances patch [INSTANCE_NAME] --enable-audit-log
Replace [INSTANCE_NAME] with the name of your Cloud SQL instance.
  1. Verify that audit logging is enabled by running the following command:
gcloud sql instances describe [INSTANCE_NAME] --format="value(settings.auditLogConfig)"
This command should return the audit log configuration for your Cloud SQL instance.
  1. If you want to disable audit logging for Cloud SQL, run the following command:
gcloud sql instances patch [INSTANCE_NAME] --no-enable-audit-log
This will disable audit logging for your Cloud SQL instance.Note: Enabling audit logging for Cloud SQL can generate a significant amount of logs, which can impact performance and incur additional costs. It is recommended to configure log retention policies to manage the log data.
To remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using python, please follow the below steps:
  1. Create a Cloud SQL instance object using the google.cloud.sql_v1beta4 library in python:
from google.cloud import sql_v1beta4
from google.cloud.sql_v1beta4 import enums

project_id = "your-project-id"
instance_id = "your-instance-id"
client = sql_v1beta4.SqlInstancesServiceClient()
instance_path = client.instance_path(project_id, instance_id)
instance = client.get(instance_path)
  1. Check if the audit logs are enabled for the Cloud SQL instance:
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "OFF":
    print("Cloud SQL data access audit logging is not enabled.")
else:
    print("Cloud SQL data access audit logging is already enabled.")
  1. If the audit logs are not enabled, enable them using the patch method:
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "OFF":
    instance.settings.database_flags["cloud_sql_data_access_audit_logs"] = "ON"
    update_mask = {"paths": ["settings.database_flags.cloud_sql_data_access_audit_logs"]}
    operation = client.patch(instance=instance, update_mask=update_mask, instance=instance)
    operation.result()
    print("Cloud SQL data access audit logging has been enabled.")
else:
    print("Cloud SQL data access audit logging is already enabled.")
  1. Verify that the audit logs are enabled:
instance = client.get(instance_path)
if instance.settings.database_flags.get("cloud_sql_data_access_audit_logs") == "ON":
    print("Cloud SQL data access audit logging is now enabled.")
else:
    print("Cloud SQL data access audit logging could not be enabled.")
These steps will remediate the misconfiguration “Cloud SQL data access audit logging should be enabled” for GCP using python.

Additional Reading: