GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Firewall Change Log Alerts Should Be Enabled
More Info:
Ensures that logging and log alerts exist for firewall rule changes.
Risk Level
Low
Address
Security
Compliance Standards
CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration “Firewall Change Log Alerts Should Be Enabled” for GCP using GCP console, follow the below steps:
- Login to your GCP console.
- Navigate to the Security Command Center.
- Click on the “Security Health Analytics” option from the left-hand menu.
- Click on the “Firewall rules” option.
- Select the project for which you want to enable Firewall Change Log Alerts.
- Click on the “Edit” button.
- Scroll down to the “Logging” section and enable the “Firewall Change Log” option.
- Click on the “Save” button to save the changes.
By following the above steps, you have successfully enabled the Firewall Change Log Alerts for the selected project in GCP. This will help you to track any changes made to the firewall rules and take necessary actions in case of any unauthorized changes.
To remediate the misconfiguration “Firewall Change Log Alerts Should Be Enabled” for GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP Console.
- Run the following command to enable firewall log exports:
gcloud logging sinks create firewall_logs_sink storage.googleapis.com/[BUCKET_NAME] --log-filter="resource.type=gce_firewall_rule AND protoPayload.methodName=compute.firewalls.patch AND protoPayload.serviceData.rule.direction=INGRESS" --include-children --organization=[ORGANIZATION_ID] --project=[PROJECT_ID]
Replace [BUCKET_NAME] with the name of the GCS bucket where you want to store the logs, [ORGANIZATION_ID] with the ID of your GCP organization, and [PROJECT_ID] with the ID of the GCP project where you want to enable the firewall log exports.
- Run the following command to grant the
Logs Writerrole to the[email protected]service account:
gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[email protected]" --role="roles/logging.logWriter"
Replace [PROJECT_ID] with the ID of the GCP project where you enabled the firewall log exports.
- Run the following command to create a firewall rule to allow traffic from the
[email protected]service account:
gcloud compute firewall-rules create allow-cloud-logs --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:22 [email protected] --target-tags=allow-cloud-logs
- Run the following command to add the
allow-cloud-logstag to the instances where you want to allow traffic from the[email protected]service account:
gcloud compute instances add-tags [INSTANCE_NAME] --tags=allow-cloud-logs --zone=[ZONE]
Replace [INSTANCE_NAME] with the name of the instance where you want to allow traffic from the [email protected] service account, and [ZONE] with the zone where the instance is located.
By following these steps, you will enable firewall log exports and allow the [email protected] service account to access the logs.
To remediate the misconfiguration “Firewall Change Log Alerts Should Be Enabled” in GCP using Python, you can follow the below steps:
Step 1: Install the necessary libraries
pip install google-cloud-logging google-auth
Step 2: Authenticate with GCP
from google.oauth2 import service_account
from google.cloud import logging_v2
credentials = service_account.Credentials.from_service_account_file(
'/path/to/your/credentials.json')
client = logging_v2.LoggingServiceV2Client(credentials=credentials)
Step 3: Create a log sink
from google.cloud.logging_v2.types import LogSink
sink_name = "firewall-change-log-alerts"
destination_uri = "pubsub://projects/{project_id}/topics/{topic_name}"
filter_ = "logName=projects/{project_id}/logs/compute.googleapis.com%2Ffirewall"
sink = LogSink(
name=sink_name,
destination=destination_uri,
filter=filter_,
include_children=True
)
parent = f"projects/{project_id}"
client.create_sink(parent=parent, sink=sink)
Step 4: Verify the log sink
sinks = client.list_sinks(parent=f"projects/{project_id}")
for sink in sinks:
if sink.name == sink_name:
print("Log sink created successfully")
break
else:
print("Log sink creation failed")
After running these steps, the log sink for Firewall Change Log Alerts will be created successfully in GCP using Python.