Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count
More Info:
Ensure Cloud Monitoring monitors storage object specific ACL mutation count.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using the GCP console, follow the steps below:
- Log in to your GCP console and navigate to the Cloud Storage page.
- Click on the bucket that you want to monitor.
- Click on the “Permissions” tab.
- Review the current IAM policies and ensure that only authorized users or groups have access to the bucket.
- Click on the “Edit Bucket Permissions” button.
- Remove any unnecessary or unauthorized users or groups from the IAM policies.
- Click on the “Add Members” button to add authorized users or groups to the IAM policies.
- Set the appropriate permissions for each user or group.
- Click on the “Save” button to save the changes.
- Navigate to the Cloud Monitoring page.
- Click on the “Uptime Checks” tab.
- Click on the “Create Uptime Check” button.
- Select “Cloud Storage” as the resource type.
- Enter the bucket name and select the appropriate region.
- Set the check interval and timeout values.
- Click on the “Next” button.
- Set the alerting policy for the uptime check.
- Click on the “Create” button to create the uptime check.
- Test the uptime check to ensure that it is monitoring the bucket’s ACL mutation count.
Using CLI
Using CLI
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using GCP CLI, follow the below steps:Note: Replace “my-bucket” with the name of the storage bucket you want to monitor and replace “CHANNEL_ID” with the ID of the notification channel you want to use.Now, you have successfully remediated the misconfiguration “Cloud Monitoring Should Monitor Storage Object Specific ACL Mutation Count” for GCP using GCP CLI.
- Open the Google Cloud Console and select the project in which the storage bucket is located.
- Open the Cloud Shell by clicking on the icon in the top right-hand corner of the console.
- Run the following command to enable the Cloud Storage API:
- Run the following command to create a metric descriptor for tracking ACL mutations:
- Run the following command to create a log-based metric for tracking ACL mutations:
- Run the following command to create an alert policy for monitoring the log-based metric:
- Verify that the alert policy is created successfully by running the following command:
Using Python
Using Python
To remediate the misconfiguration of not monitoring the storage object-specific ACL mutation count in GCP, you can follow these steps using Python:
- Install the required libraries:
- Create a service account and download the JSON key file.
-
Set the environment variable
GOOGLE_APPLICATION_CREDENTIALSto the path of the JSON key file. - Use the following Python code to get the list of all buckets in your GCP project:
- Use the following Python code to get the list of all objects in a bucket:
- Use the following Python code to get the ACL of a storage object:
- Use the following Python code to update the ACL of a storage object:
- Finally, you can use the above Python code snippets to monitor the storage object-specific ACL mutation count and take appropriate actions if the count exceeds a certain threshold.