Bucket Logging Should Be Enabled
More Info:
Ensures object logging is enabled on storage buckets. Storage bucket logging helps maintain an audit trail of access that can be used in the event of a security incident.Risk Level
LowAddress
Reliability, SecurityCompliance Standards
SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the bucket logging misconfiguration in GCP using the GCP console, follow these steps:
- Open the GCP console and navigate to the Storage section.
- Select the bucket for which you want to enable logging.
- Click on the “Edit bucket details” button at the top of the page.
- Scroll down to the “Logging” section and click on the “Configure” button.
- In the “Configure logging” dialog box, select the “Cloud Audit Logs” option.
- Choose the appropriate logs you want to receive and click on the “Save” button.
Using CLI
Using CLI
To remediate the bucket logging misconfiguration for GCP using GCP CLI, follow these step-by-step instructions:
- Open the Cloud Shell from the GCP console.
-
Run the following command to list all the buckets in your project:
- Choose the bucket for which you want to enable logging.
-
Run the following command to enable logging for the bucket:
Replace
[BUCKET_NAME]with the name of your bucket and[LOG_BUCKET_NAME]with the name of the bucket where you want to store the logs.[PREFIX]is an optional parameter that allows you to specify a prefix for the log object names. -
Verify that logging has been enabled for the bucket by running the following command:
This command will display the current logging configuration for the bucket.
-
You can also view the logs in the log bucket by running the following command:
This command will list all the log files that have been generated for the specified bucket.
Using Python
Using Python
To remediate the misconfiguration “Bucket Logging Should Be Enabled” in GCP using Python, you can follow the below steps:The above steps will enable bucket logging for the specified GCP bucket. You can run this Python script as a standalone script or integrate it into your infrastructure as code pipeline.
- Import the required libraries:
- Set the project ID and bucket name:
- Create a client object of the storage bucket:
- Set the bucket’s logging configuration:
- Verify the logging configuration by checking the bucket’s logging properties: