More Info:

Ensure Cloud Monitoring monitors storage object specific ACL mutation count.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using the GCP console, follow the steps below:
  1. Log in to your GCP console and navigate to the Cloud Storage page.
  2. Click on the bucket that you want to monitor.
  3. Click on the “Permissions” tab.
  4. Review the current IAM policies and ensure that only authorized users or groups have access to the bucket.
  5. Click on the “Edit Bucket Permissions” button.
  6. Remove any unnecessary or unauthorized users or groups from the IAM policies.
  7. Click on the “Add Members” button to add authorized users or groups to the IAM policies.
  8. Set the appropriate permissions for each user or group.
  9. Click on the “Save” button to save the changes.
  10. Navigate to the Cloud Monitoring page.
  11. Click on the “Uptime Checks” tab.
  12. Click on the “Create Uptime Check” button.
  13. Select “Cloud Storage” as the resource type.
  14. Enter the bucket name and select the appropriate region.
  15. Set the check interval and timeout values.
  16. Click on the “Next” button.
  17. Set the alerting policy for the uptime check.
  18. Click on the “Create” button to create the uptime check.
  19. Test the uptime check to ensure that it is monitoring the bucket’s ACL mutation count.
By following these steps, you can remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using the GCP console.

To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using GCP CLI, follow the below steps:
  1. Open the Google Cloud Console and select the project in which the storage bucket is located.
  2. Open the Cloud Shell by clicking on the icon in the top right-hand corner of the console.
  3. Run the following command to enable the Cloud Storage API: 
gcloud services enable storage-api.googleapis.com
  1. Run the following command to create a metric descriptor for tracking ACL mutations:
gcloud beta monitoring metric-descriptors create \
--type=custom.googleapis.com/storage/object/iam_mutation_count \
--description="Count of mutations to a storage object's IAM policy" \
--metric-kind=DELTA \
--value-type=INT64 \
--display-name="Storage Object IAM Mutation Count"
  1. Run the following command to create a log-based metric for tracking ACL mutations:
gcloud beta logging metrics create storage-object-iam-mutation-count \
--description="Count of mutations to a storage object's IAM policy" \
--log-filter='resource.type="gcs_bucket" AND protoPayload.methodName="storage.objects.update" AND protoPayload.request.updateMask.fieldPaths:"acl"' \
--metric-descriptors=custom.googleapis.com/storage/object/iam_mutation_count
  1. Run the following command to create an alert policy for monitoring the log-based metric:
gcloud alpha monitoring policies create \
--display-name="Storage Object IAM Mutation Count Alert" \
--condition-exit-code=0 \
--condition-filter='metric.type="logging.googleapis.com/user/storage-object-iam-mutation-count" AND metric.label."bucket_name"="my-bucket"' \
--notification-channels=CHANNEL_ID \
--combiner=OR \
--duration=300s \
--comparison=COMPARISON_GT \
--threshold-value=1
Note: Replace “my-bucket” with the name of the storage bucket you want to monitor and replace “CHANNEL_ID” with the ID of the notification channel you want to use.
  1. Verify that the alert policy is created successfully by running the following command:
gcloud alpha monitoring policies list
Now, you have successfully remediated the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using GCP CLI.
To remediate the misconfiguration of not monitoring the storage object-specific ACL mutation count in GCP, you can follow these steps using Python:
  1. Install the required libraries:
pip install google-cloud-storage
pip install google-auth
  1. Create a service account and download the JSON key file.
  2. Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the path of the JSON key file.
  3. Use the following Python code to get the list of all buckets in your GCP project: 
from google.cloud import storage

client = storage.Client()
buckets = client.list_buckets()

for bucket in buckets:
    print(bucket.name)
  1. Use the following Python code to get the list of all objects in a bucket:
from google.cloud import storage

client = storage.Client()
bucket = client.get_bucket('bucket-name')
blobs = bucket.list_blobs()

for blob in blobs:
    print(blob.name)
  1. Use the following Python code to get the ACL of a storage object:
from google.cloud import storage

client = storage.Client()
bucket = client.get_bucket('bucket-name')
blob = bucket.get_blob('object-name')
acl = blob.acl

for entry in acl:
    print(entry)
  1. Use the following Python code to update the ACL of a storage object:
from google.cloud import storage

client = storage.Client()
bucket = client.get_bucket('bucket-name')
blob = bucket.get_blob('object-name')
acl = blob.acl

# Add a new entry to the ACL
entry = storage.acl.Entity('user-email', 'user')
acl.add_entity(entry)
acl.save()
  1. Finally, you can use the above Python code snippets to monitor the storage object-specific ACL mutation count and take appropriate actions if the count exceeds a certain threshold.
Note: It is important to ensure that the service account used has sufficient permissions to access the required resources.

Additional Reading: