More Info:

Ensure Cloud Monitoring monitors storage request counts.

Risk Level

Low

Address

Reliability

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate this misconfiguration in GCP using the GCP console, follow these steps:
  1. Go to the GCP console and select the project where the storage bucket is located.
  2. Click on the “Storage” option from the left-hand menu.
  3. Select the bucket that you want to monitor and click on the “Edit bucket details” button.
  4. Scroll down to the “Advanced settings” section and click on the “Logging” tab.
  5. Click on the “Configure logs” button.
  6. In the “Log sinks” section, click on the “Add sink” button.
  7. In the “Create sink” dialog box, give a name to the sink and select the “Cloud Storage bucket” option.
  8. Select the destination bucket where you want to store the logs.
  9. In the “Filter” section, add the following filter: 
protoPayload.serviceName="storage.googleapis.com"
protoPayload.methodName="storage.objects.insert"
This filter will monitor the storage request counts for the selected bucket.
  1. Click on the “Create” button to create the sink.
  2. Go back to the bucket details page and click on the “Notifications” tab.
  3. Click on the “Add notification” button.
  4. Select the “Cloud Pub/Sub” option and create a new topic.
  5. Select the topic and set the desired notification settings.
  6. Click on the “Save” button to save the notification settings.
Now, the GCP console will monitor the storage request counts for the selected bucket and send notifications to the configured topic if any threshold is breached.

To remediate the misconfiguration in GCP using GCP CLI, you can follow the below steps:
  1. Open the Google Cloud Console and go to the Cloud Shell.
  2. Run the following command to enable the Cloud Monitoring API: 
gcloud services enable monitoring.googleapis.com
  1. Create a custom metric to monitor the storage request counts by running the following command:
gcloud monitoring metrics create storage/request_count --description "Number of storage requests" --display-name "Storage Request Count" --metric-kind "DELTA" --value-type "INT64" --unit "1"
  1. Create a new uptime check to monitor the storage request counts by running the following command:
gcloud alpha monitoring uptime-checks create http storage-request-count --display-name "Storage Request Count" --check-type "HTTP" --http-method "GET" --path "/storage/request_count" --port "80" --use-ssl --project [PROJECT_ID]
  1. Verify that the uptime check is created successfully by running the following command:
gcloud alpha monitoring uptime-checks list --project [PROJECT_ID]
  1. If the uptime check is created successfully, you will see the following output:
NAME                CHECK_TYPE  PERIOD  TIMEOUT  GRACE_PERIOD  HTTP_CHECK
storage-request-count  HTTP        60s     10s       0s           GET http://[INSTANCE_IP_ADDRESS]/storage/request_count
  1. Finally, you can view the storage request counts in the Cloud Monitoring console by navigating to the Metrics Explorer and selecting the custom metric that you created in step 3.
By following the above steps, you can remediate the misconfiguration of monitoring storage request counts in GCP using GCP CLI.
To remediate the misconfiguration “Cloud Monitoring Should Monitor Storage Request Counts” for GCP using Python, follow these steps:
  1. First, you need to enable the Cloud Storage API in your GCP project. To do this, go to the GCP Console and select your project. Then, click on “APIs & Services” in the left-hand menu and search for “Cloud Storage API”. Click on “Enable” to enable the API.
  2. Next, you need to install the necessary Python libraries to interact with the Cloud Storage API. You can use the google-cloud-storage library for this. Install it using pip by running the following command: 
    pip install google-cloud-storage
  3. Once you have installed the google-cloud-storage library, you can use it to monitor storage request counts in your GCP project. Here’s some sample Python code that you can use to do this: 
    from google.cloud import monitoring_v3
from google.oauth2 import service_account
import datetime

# Set up authentication using a service account key file
credentials = service_account.Credentials.from_service_account_file('<path-to-your-service-account-key-file>')

# Set up the Monitoring client
client = monitoring_v3.MetricServiceClient(credentials=credentials)

# Set up the query to get storage request counts
project_name = '<your-project-name>'
metric_type = 'storage.googleapis.com/storage/request_count'
now = datetime.datetime.utcnow()
minutes_ago = now - datetime.timedelta(minutes=5)
interval = monitoring_v3.TimeInterval(
    {'end_time': now, 'start_time': minutes_ago})
aggregation = monitoring_v3.Aggregation(
    {'alignment_period': {'seconds': 60}, 'per_series_aligner': 'ALIGN_SUM'})
query = f'projects/{project_name}/metricDescriptors/{metric_type}'
results = client.list_time_series(
    query,
    interval,
    monitoring_v3.ListTimeSeriesRequest.TimeSeriesView.HEADERS,
    aggregation=aggregation)

# Print the results
for result in results:
    print(result)
    This code will query the Cloud Monitoring API for storage request counts in the last 5 minutes, and print out the results.
  4. Finally, you can set up a Cloud Monitoring alert to notify you if storage request counts exceed a certain threshold. To do this, go to the Cloud Monitoring Console and create a new alerting policy. Set the condition to trigger when storage request counts exceed your desired threshold, and set up notification channels to receive alerts.

Additional Reading: