GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Cloud Monitoring Should Monitor Storage Authentication Counts
More Info:
Ensure Cloud Monitoring monitors storage authentication counts.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Authentication Counts” for GCP using GCP console, you can follow the below steps:
- Open the Google Cloud Console and navigate to the Cloud Storage page.
- Select the bucket that you want to monitor and click on the “Edit bucket details” button.
- In the “Edit bucket details” page, scroll down to the “Access control” section.
- Under the “Access control” section, you will see a list of all the users and groups that have access to the bucket.
- Click on the “Add members” button to add new members to the bucket.
- In the “Add members” dialog box, enter the email address of the user or group that you want to add to the bucket.
- Select the appropriate role for the user or group from the dropdown menu. For example, you can select “Storage Object Viewer” or “Storage Object Creator” depending on the level of access you want to grant.
- Click on the “Add” button to add the user or group to the bucket.
- Repeat steps 6-8 for all the users and groups that need access to the bucket.
- Once you have added all the necessary users and groups, click on the “Save” button to save the changes.
By following the above steps, you will be able to remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Authentication Counts” for GCP using GCP console.
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Authentication Counts” for GCP using GCP CLI, follow the below steps:
-
Open the Cloud Shell in GCP Console.
-
Run the following command to enable the Cloud Storage API:
gcloud services enable storage-api.googleapis.com
- Run the following command to create a Pub/Sub topic to store the audit logs:
gcloud pubsub topics create [TOPIC_NAME]
- Run the following command to grant the Cloud Storage service account permission to publish messages to the Pub/Sub topic:
gcloud projects add-iam-policy-binding [PROJECT_ID] --member="serviceAccount:[SERVICE_ACCOUNT_EMAIL]" --role="roles/pubsub.publisher"
Note: Replace [TOPIC_NAME], [PROJECT_ID], and [SERVICE_ACCOUNT_EMAIL] with the appropriate values.
- Run the following command to create a sink to export Cloud Storage audit logs to the Pub/Sub topic:
gcloud logging sinks create [SINK_NAME] pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_NAME] --log-filter='resource.type="gcs_bucket" AND protoPayload.methodName="storage.objects.create" AND protoPayload.authenticationInfo.principalEmail!="service-[PROJECT_NUMBER]@gcp-sa-logging.iam.gserviceaccount.com"'
Note: Replace [SINK_NAME], [PROJECT_ID], and [TOPIC_NAME] with the appropriate values.
- Run the following command to update the Cloud Storage bucket to export audit logs to the sink:
gsutil logging set on -b gs://[BUCKET_NAME] -o [SINK_NAME]
Note: Replace [BUCKET_NAME] and [SINK_NAME] with the appropriate values.
- Verify that the sink is exporting audit logs to the Pub/Sub topic by checking the topic subscription:
gcloud pubsub subscriptions describe projects/[PROJECT_ID]/subscriptions/[SUBSCRIPTION_NAME]
Note: Replace [PROJECT_ID] and [SUBSCRIPTION_NAME] with the appropriate values.
By following the above steps, you can remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Authentication Counts” for GCP using GCP CLI.
To remediate the issue of monitoring storage authentication counts in GCP using Python, follow these steps:
- Install the required libraries: Use the following command to install the required libraries:
!pip install google-cloud-storage
- Set up authentication: Use the following code to authenticate your GCP account:
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('path/to/your/credentials.json')
- Create a Storage client: Use the following code to create a Storage client:
from google.cloud import storage
storage_client = storage.Client(credentials=credentials)
- Get the bucket: Use the following code to get the bucket:
bucket = storage_client.get_bucket('your-bucket-name')
- Get the IAM policy: Use the following code to get the IAM policy:
policy = bucket.get_iam_policy(requested_policy_version=3)
- Update the IAM policy: Use the following code to update the IAM policy:
from google.cloud.storage import BucketIAMMember
from google.cloud.storage import StoragePermissions
policy.bindings.append(BucketIAMMember('allUsers', 'roles/storage.objectViewer'))
policy.bindings.append(BucketIAMMember('allAuthenticatedUsers', 'roles/storage.objectViewer'))
policy.bindings.append(BucketIAMMember('allUsers', 'roles/storage.objectCreator'))
policy.bindings.append(BucketIAMMember('allAuthenticatedUsers', 'roles/storage.objectCreator'))
policy.version += 1
bucket.set_iam_policy(policy)
- Verify the IAM policy: Use the following code to verify the IAM policy:
policy = bucket.get_iam_policy(requested_policy_version=3)
print(policy)
These steps will remediate the issue of monitoring storage authentication counts in GCP using Python.