More Info:

DATA_READ, DATA_WRITE and ADMIN_READ logs should be enabled on Cloud Bigtable Instances

Risk Level

Medium

Address

Operational Maturity, Security

Compliance Standards

HITRUST

Triage and Remediation

Remediation

Using Console

To remediate the “Bigtable Instances Should Have Audit Logging Enabled” misconfiguration in GCP using the GCP console, you can follow the below steps:
  1. Open the Google Cloud Console and select the project in which the Bigtable instance is created.
  2. In the left navigation menu, select “Bigtable” under the “Storage” section.
  3. Select the Bigtable instance for which you want to enable audit logging.
  4. In the Bigtable instance details page, click on the “Edit” button at the top of the page.
  5. Scroll down to the “Cloud Audit Logs” section and click on the “Add logging” button.
  6. In the “Add logging” dialog box, select the logs that you want to enable for the Bigtable instance. You can select from the following logs:
    • Admin Activity
    • Data Access
    • System Event
  7. Once you have selected the logs, click on the “Save” button to enable audit logging for the Bigtable instance.
By following the above steps, you can enable audit logging for the Bigtable instance in GCP using the GCP console.

To remediate the misconfiguration of Bigtable Instances not having audit logging enabled in GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell by clicking on the Activate Cloud Shell button in the top right-hand corner of the Google Cloud Console.
  2. Run the following command to enable audit logging for Bigtable instances:
    gcloud alpha bigtable instances update INSTANCE_ID --enable-logging --log-filter=bigtable.googleapis.com/instance
    
    Replace INSTANCE_ID with the ID of the Bigtable instance for which you want to enable audit logging.
  3. After running the above command, you will receive a confirmation message that the instance has been updated with audit logging enabled.
    Updated [https://bigtable.googleapis.com/v2/projects/PROJECT_ID/instances/INSTANCE_ID].
    
  4. Verify that the audit logging is enabled for the Bigtable instance by running the following command:
    gcloud alpha bigtable instances describe INSTANCE_ID --format="value(logging.enable)"
    
    This command will return True if audit logging is enabled for the instance.
  5. Repeat the above steps for all the Bigtable instances in your GCP project to ensure that audit logging is enabled for all of them.
By following the above steps, you can remediate the misconfiguration of Bigtable Instances not having audit logging enabled in GCP using GCP CLI.
To remediate the misconfiguration of Bigtable Instances not having Audit Logging enabled in GCP using Python, follow these steps:
  1. Import the necessary libraries and authenticate the GCP credentials using the google-cloud-bigtable library and Application Default Credentials (ADC):
from google.cloud import bigtable
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')
client = bigtable.Client(project='your_project_id', credentials=credentials)
  1. Retrieve the list of Bigtable instances in the project using the list_instances() method:
instances = client.list_instances()
  1. Loop through each instance and check if Audit Logging is enabled or not using the get_iam_policy() method:
for instance in instances:
    policy = instance.get_iam_policy(requested_policy_version=3)
    bindings = policy.bindings

    for binding in bindings:
        if binding.role == 'roles/bigtable.admin':
            if 'logging.logEntries.create' not in binding.members:
                binding.members.append('group:[email protected]')
  1. If Audit Logging is not enabled, add the group:[email protected] member to the roles/bigtable.admin role using the binding.members.append() method:
if 'logging.logEntries.create' not in binding.members:
    binding.members.append('group:[email protected]')
  1. Update the IAM policy for the instance using the set_iam_policy() method:
instance.set_iam_policy(policy)
  1. The final code would look like this:
from google.cloud import bigtable
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/credentials.json')
client = bigtable.Client(project='your_project_id', credentials=credentials)

instances = client.list_instances()

for instance in instances:
    policy = instance.get_iam_policy(requested_policy_version=3)
    bindings = policy.bindings

    for binding in bindings:
        if binding.role == 'roles/bigtable.admin':
            if 'logging.logEntries.create' not in binding.members:
                binding.members.append('group:[email protected]')
    
    instance.set_iam_policy(policy)
  1. Run the code and verify that Audit Logging is enabled for all Bigtable instances in the project.

Additional Reading: