More Info:

Ensure Cloud Monitoring monitors storage ACL based object access count.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage ACL Based Object Access Count” for GCP using the GCP console, you can follow the below steps:
  1. Go to the GCP console and navigate to the Cloud Storage section.
  2. Select the bucket for which you want to enable ACL based object access count monitoring.
  3. Click on the “Edit bucket permissions” button located on the top of the page.
  4. Under the “Add members” section, add the email address of the user or service account for which you want to enable ACL based object access count monitoring.
  5. Select the “Storage Object Viewer” role for the added member.
  6. Click on the “Add” button to add the member to the bucket’s permissions.
  7. Go to the Cloud Monitoring section of the GCP console.
  8. Click on the “Uptime checks” tab and then click on the “Create uptime check” button.
  9. Enter the required details for the uptime check, such as the name, check frequency, and target.
  10. Under the “Advanced options” section, enable the “Log matched log entries” option.
  11. Under the “Log-based metrics” section, select “Cloud Storage” as the log source and then select the log name for the bucket for which you enabled ACL based object access count monitoring.
  12. Set the required filters for the log-based metric and then click on the “Create” button.
By following these steps, you can remediate the misconfiguration “Cloud Monitoring Should Monitor Storage ACL Based Object Access Count” for GCP using the GCP console.

To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage ACL Based Object Access Count” for GCP using GCP CLI, follow these steps:
  1. Open the Cloud Shell in the GCP Console.
  2. Run the following command to enable Cloud Storage access logs: gsutil logging set on gs://[BUCKET_NAME] Replace [BUCKET_NAME] with the name of the bucket you want to enable access logs for.
  3. Run the following command to create a new bucket for the access logs: gsutil mb -p [PROJECT_ID] -c regional -l [REGION] gs://[BUCKET_NAME] Replace [PROJECT_ID] with your GCP project ID, [REGION] with the region where you want to create the bucket, and [BUCKET_NAME] with the name of the bucket you want to create.
  4. Run the following command to set the logging configuration for the bucket:
    gsutil logging set on -b gs://[BUCKET_NAME] \
    -o AccessLog \
    -t '[START_TIME],[END_TIME],[METHOD],[RESOURCE],[PROTOCOL],[STATUS],[REQUESTER],[REQUEST_ID],[OBJECT_SIZE],[VERSION_ID],[BUCKET_NAME],[OBJECT_NAME],[REMOTE_IP],[SERVER_IP],[REFERER],[USER_AGENT],[VERSION_FORMAT],[ERROR_CODE],[ERROR_MESSAGE]' \
    gs://[BUCKET_NAME]
    
    Replace [BUCKET_NAME] with the name of the bucket you want to enable access logs for.
  5. Verify that access logs are being written to the bucket by running the following command: gsutil ls -la gs://[BUCKET_NAME]/ Replace [BUCKET_NAME] with the name of the bucket you created in step 3.
  6. You can now use Cloud Monitoring to monitor the access logs and count the number of ACL-based object accesses. To do this, follow these steps: a. Open the Cloud Monitoring console in the GCP Console. b. Click on “Metrics Explorer” in the left-hand menu. c. In the “Find resource type and metric” search box, type “gcs_bucket_access_count”. d. Select the “gcs_bucket_access_count” metric from the list. e. In the “Filter by label” section, select the bucket you want to monitor. f. Click on “Add filter”. g. In the “Find resource type and metric” search box, type “gcs_bucket_accessed_via_acl_count”. h. Select the “gcs_bucket_accessed_via_acl_count” metric from the list. i. In the “Filter by label” section, select the bucket you want to monitor. j. Click on “Add filter”. k. Click on “Create chart” to create a chart showing the number of ACL-based object accesses for the selected bucket.
That’s it! You have now remediated the misconfiguration “Cloud Monitoring Should Monitor Storage ACL Based Object Access Count” for GCP using GCP CLI.
To remediate the misconfiguration of monitoring storage ACL based object access count in GCP using python, you can follow these steps:
  1. First, you need to enable Cloud Storage API in your GCP project.
  2. Next, you need to install the Google Cloud Storage Python client library by running the following command:
    pip install google-cloud-storage
    
  3. Once the library is installed, you can use the following python code to monitor the storage ACL based object access count:
    from google.cloud import storage
    
    # Instantiates a client
    storage_client = storage.Client()
    
    # The name of the bucket
    bucket_name = "your-bucket-name"
    
    # The name of the object
    object_name = "your-object-name"
    
    # Get the bucket object
    bucket = storage_client.get_bucket(bucket_name)
    
    # Get the object ACL
    acl = bucket.get_blob(object_name).acl
    
    # Get the number of users with read permission
    num_users = len([e for e in acl if e.get("role") == "READER"])
    
    # Get the number of users with write permission
    num_writers = len([e for e in acl if e.get("role") == "WRITER"])
    
    # Log the access count
    print(f"Object {object_name} has been accessed by {num_users} readers and {num_writers} writers.")
    
  4. You can run this code periodically to monitor the storage ACL based object access count in your GCP project. You can also modify this code to send alerts or notifications when access count exceeds a certain threshold.
By following these steps, you can remediate the misconfiguration of monitoring storage ACL based object access count in GCP using python.

Additional Reading: