More Info:

Ensures that logging and log alerts exist for storage permission changes. Storage permissions include access to the buckets that store the logs, any changes in storage permissions should be heavily monitored to prevent unauthorized changes.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using GCP console, follow the below steps:
  1. Open the Google Cloud Console and select the project for which you want to enable storage permissions change log alerts.
  2. Navigate to the Cloud Storage page and select the bucket for which you want to enable the alerts.
  3. Click on the “Edit Bucket Details” button to open the bucket details page.
  4. Scroll down to the “Advanced Settings” section and click on the “Edit Bucket Permissions” button.
  5. In the “Bucket Permissions” window, click on the “Add Member” button.
  6. In the “Add members” window, enter the email address of the user or group that you want to receive the alerts.
  7. In the “Select a role” dropdown menu, select the “Storage Object Admin” role.
  8. Click on the “Save” button to add the member with the selected role.
  9. Now, click on the “Add Notification” button in the “Advanced Settings” section.
  10. In the “Add Notification” window, select the “Object Change” event type.
  11. In the “Filter” section, select the “All object changes” option.
  12. In the “Delivery” section, select the “Email” option and enter the email address of the user or group that you added in step 6.
  13. Click on the “Save” button to save the notification.
  14. Repeat steps 9 to 13 for each user or group that you want to receive the alerts.
  15. Once you have added all the necessary members and notifications, click on the “Save” button to save the changes.
By following these steps, you have successfully enabled storage permissions change log alerts for the selected bucket in GCP.

To remediate the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the GCP CLI terminal and authenticate with your GCP account using the following command: 
    gcloud auth login
  2. Check whether the Stackdriver Logging API is enabled or not using the following command: 
    gcloud services list --enabled | grep logging.googleapis.com
    If the Stackdriver Logging API is not enabled, then enable it using the following command: 
    gcloud services enable logging.googleapis.com
  3. Create a sink to export logs to Cloud Pub/Sub using the following command: 
    gcloud logging sinks create [SINK_NAME] pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_NAME] --log-filter='resource.type="gcs_bucket" AND protoPayload.methodName="storage.buckets.update" AND protoPayload.request.updateMask.fieldPaths="iamConfiguration" AND protoPayload.response.iamConfiguration' --include-children
    Replace the [SINK_NAME] with a name for the sink, [PROJECT_ID] with the ID of the GCP project, and [TOPIC_NAME] with the name of the Cloud Pub/Sub topic to export the logs to.
  4. Grant the Cloud Pub/Sub Publisher role to the service account used by the sink using the following command: 
    gcloud projects add-iam-policy-binding [PROJECT_ID] --member=serviceAccount:[SINK_SERVICE_ACCOUNT] --role=roles/pubsub.publisher
    Replace the [PROJECT_ID] with the ID of the GCP project and [SINK_SERVICE_ACCOUNT] with the email address of the service account used by the sink.
  5. Enable the sink using the following command: 
    gcloud logging sinks update [SINK_NAME] --destination=pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_NAME] --include-children
    Replace the [SINK_NAME] with the name of the sink, [PROJECT_ID] with the ID of the GCP project, and [TOPIC_NAME] with the name of the Cloud Pub/Sub topic to export the logs to.
With the above steps, you have successfully remediated the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using Python, you can follow these steps:
  1. Import the necessary libraries:
from google.cloud import logging_v2
from google.cloud.logging_v2 import enums
from google.cloud.logging_v2.resource import Resource
  1. Set up the client:
client = logging_v2.LoggingServiceV2Client()
  1. Define the project ID:
project_id = 'your-project-id'
  1. Define the log sink:
log_sink = 'storage-permissions-change-log-alerts'
  1. Define the log filter:
log_filter = 'logName:"cloudaudit.googleapis.com%2Factivity" AND protoPayload.methodName:"storage.buckets.update" AND protoPayload.serviceName:"storage.googleapis.com"'
  1. Define the log sink destination:
log_sink_destination = f"storage.googleapis.com/{log_sink}"
  1. Define the log sink configuration:
sink_config = {
    "name": log_sink,
    "destination": log_sink_destination,
    "filter": log_filter,
    "output_version_format": enums.LogSink.VersionFormat.V2
}
  1. Define the log sink resource:
project_resource = Resource(type="project", labels={"project_id": project_id})
  1. Create the log sink:
response = client.create_sink(project_resource.project_id, sink_config)
  1. Verify that the log sink was created successfully:
if response.name == f"projects/{project_id}/sinks/{log_sink}":
    print(f"Log sink {log_sink} created successfully.")
else:
    print(f"Failed to create log sink {log_sink}.")
These steps will enable the storage permissions change log alerts for GCP using Python.

Additional Reading: