Cloud Monitoring Should Monitor Storage ACL Based Object Access Count
More Info:
Ensure Cloud Monitoring monitors storage ACL based object access count.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage ACL Based Object Access Count” for GCP using the GCP console, you can follow the below steps:
- Go to the GCP console and navigate to the Cloud Storage section.
- Select the bucket for which you want to enable ACL based object access count monitoring.
- Click on the “Edit bucket permissions” button located on the top of the page.
- Under the “Add members” section, add the email address of the user or service account for which you want to enable ACL based object access count monitoring.
- Select the “Storage Object Viewer” role for the added member.
- Click on the “Add” button to add the member to the bucket’s permissions.
- Go to the Cloud Monitoring section of the GCP console.
- Click on the “Uptime checks” tab and then click on the “Create uptime check” button.
- Enter the required details for the uptime check, such as the name, check frequency, and target.
- Under the “Advanced options” section, enable the “Log matched log entries” option.
- Under the “Log-based metrics” section, select “Cloud Storage” as the log source and then select the log name for the bucket for which you enabled ACL based object access count monitoring.
- Set the required filters for the log-based metric and then click on the “Create” button.
Using CLI
Using CLI
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage ACL Based Object Access Count” for GCP using GCP CLI, follow these steps:
- Open the Cloud Shell in the GCP Console.
-
Run the following command to enable Cloud Storage access logs:
gsutil logging set on gs://[BUCKET_NAME]Replace[BUCKET_NAME]with the name of the bucket you want to enable access logs for. -
Run the following command to create a new bucket for the access logs:
gsutil mb -p [PROJECT_ID] -c regional -l [REGION] gs://[BUCKET_NAME]Replace[PROJECT_ID]with your GCP project ID,[REGION]with the region where you want to create the bucket, and[BUCKET_NAME]with the name of the bucket you want to create. -
Run the following command to set the logging configuration for the bucket:
Replace
[BUCKET_NAME]with the name of the bucket you want to enable access logs for. -
Verify that access logs are being written to the bucket by running the following command:
gsutil ls -la gs://[BUCKET_NAME]/Replace[BUCKET_NAME]with the name of the bucket you created in step 3. - You can now use Cloud Monitoring to monitor the access logs and count the number of ACL-based object accesses. To do this, follow these steps: a. Open the Cloud Monitoring console in the GCP Console. b. Click on “Metrics Explorer” in the left-hand menu. c. In the “Find resource type and metric” search box, type “gcs_bucket_access_count”. d. Select the “gcs_bucket_access_count” metric from the list. e. In the “Filter by label” section, select the bucket you want to monitor. f. Click on “Add filter”. g. In the “Find resource type and metric” search box, type “gcs_bucket_accessed_via_acl_count”. h. Select the “gcs_bucket_accessed_via_acl_count” metric from the list. i. In the “Filter by label” section, select the bucket you want to monitor. j. Click on “Add filter”. k. Click on “Create chart” to create a chart showing the number of ACL-based object accesses for the selected bucket.
Using Python
Using Python
To remediate the misconfiguration of monitoring storage ACL based object access count in GCP using python, you can follow these steps:
- First, you need to enable Cloud Storage API in your GCP project.
-
Next, you need to install the Google Cloud Storage Python client library by running the following command:
-
Once the library is installed, you can use the following python code to monitor the storage ACL based object access count:
- You can run this code periodically to monitor the storage ACL based object access count in your GCP project. You can also modify this code to send alerts or notifications when access count exceeds a certain threshold.