GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Bigtable Instances Should Have Audit Logging Enabled
More Info:
DATA_READ, DATA_WRITE and ADMIN_READ logs should be enabled on Cloud Bigtable Instances
Risk Level
Medium
Address
Operational Maturity, Security
Compliance Standards
HITRUST
Triage and Remediation
Remediation
To remediate the “Bigtable Instances Should Have Audit Logging Enabled” misconfiguration in GCP using the GCP console, you can follow the below steps:
- Open the Google Cloud Console and select the project in which the Bigtable instance is created.
- In the left navigation menu, select “Bigtable” under the “Storage” section.
- Select the Bigtable instance for which you want to enable audit logging.
- In the Bigtable instance details page, click on the “Edit” button at the top of the page.
- Scroll down to the “Cloud Audit Logs” section and click on the “Add logging” button.
- In the “Add logging” dialog box, select the logs that you want to enable for the Bigtable instance. You can select from the following logs:
- Admin Activity
- Data Access
- System Event
- Once you have selected the logs, click on the “Save” button to enable audit logging for the Bigtable instance.
By following the above steps, you can enable audit logging for the Bigtable instance in GCP using the GCP console.
To remediate the misconfiguration of Bigtable Instances not having audit logging enabled in GCP using GCP CLI, you can follow the below steps:
-
Open the Cloud Shell by clicking on the Activate Cloud Shell button in the top right-hand corner of the Google Cloud Console.
-
Run the following command to enable audit logging for Bigtable instances:
gcloud alpha bigtable instances update INSTANCE_ID --enable-logging --log-filter=bigtable.googleapis.com/instanceReplace
INSTANCE_IDwith the ID of the Bigtable instance for which you want to enable audit logging. -
After running the above command, you will receive a confirmation message that the instance has been updated with audit logging enabled.
Updated [https://bigtable.googleapis.com/v2/projects/PROJECT_ID/instances/INSTANCE_ID]. -
Verify that the audit logging is enabled for the Bigtable instance by running the following command:
gcloud alpha bigtable instances describe INSTANCE_ID --format="value(logging.enable)"This command will return
Trueif audit logging is enabled for the instance. -
Repeat the above steps for all the Bigtable instances in your GCP project to ensure that audit logging is enabled for all of them.
By following the above steps, you can remediate the misconfiguration of Bigtable Instances not having audit logging enabled in GCP using GCP CLI.
To remediate the misconfiguration of Bigtable Instances not having Audit Logging enabled in GCP using Python, follow these steps:
- Import the necessary libraries and authenticate the GCP credentials using the
google-cloud-bigtablelibrary andApplication Default Credentials (ADC):
from google.cloud import bigtable
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')
client = bigtable.Client(project='your_project_id', credentials=credentials)
- Retrieve the list of Bigtable instances in the project using the
list_instances()method:
instances = client.list_instances()
- Loop through each instance and check if Audit Logging is enabled or not using the
get_iam_policy()method:
for instance in instances:
policy = instance.get_iam_policy(requested_policy_version=3)
bindings = policy.bindings
for binding in bindings:
if binding.role == 'roles/bigtable.admin':
if 'logging.logEntries.create' not in binding.members:
binding.members.append('group:[email protected]')
- If Audit Logging is not enabled, add the
group:[email protected]member to theroles/bigtable.adminrole using thebinding.members.append()method:
if 'logging.logEntries.create' not in binding.members:
binding.members.append('group:[email protected]')
- Update the IAM policy for the instance using the
set_iam_policy()method:
instance.set_iam_policy(policy)
- The final code would look like this:
from google.cloud import bigtable
from google.oauth2 import service_account
credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')
client = bigtable.Client(project='your_project_id', credentials=credentials)
instances = client.list_instances()
for instance in instances:
policy = instance.get_iam_policy(requested_policy_version=3)
bindings = policy.bindings
for binding in bindings:
if binding.role == 'roles/bigtable.admin':
if 'logging.logEntries.create' not in binding.members:
binding.members.append('group:[email protected]')
instance.set_iam_policy(policy)
- Run the code and verify that Audit Logging is enabled for all Bigtable instances in the project.