More Info:

Ensures object logging is enabled on storage buckets. Storage bucket logging helps maintain an audit trail of access that can be used in the event of a security incident.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

SOC2, NIST, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS, FedRAMP

Triage and Remediation

Remediation

Using Console

To remediate the bucket logging misconfiguration in GCP using the GCP console, follow these steps:
  1. Open the GCP console and navigate to the Storage section.
  2. Select the bucket for which you want to enable logging.
  3. Click on the “Edit bucket details” button at the top of the page.
  4. Scroll down to the “Logging” section and click on the “Configure” button.
  5. In the “Configure logging” dialog box, select the “Cloud Audit Logs” option.
  6. Choose the appropriate logs you want to receive and click on the “Save” button.
Once you have completed these steps, bucket logging will be enabled for the selected bucket in GCP. The logs will be stored in the Cloud Audit Logs and can be accessed via the GCP console or through the Cloud Logging API.

To remediate the bucket logging misconfiguration for GCP using GCP CLI, follow these step-by-step instructions:
  1. Open the Cloud Shell from the GCP console.
  2. Run the following command to list all the buckets in your project: 
    gsutil ls
  3. Choose the bucket for which you want to enable logging.
  4. Run the following command to enable logging for the bucket: 
    gsutil logging set on -b gs://[BUCKET_NAME] gs://[LOG_BUCKET_NAME]/[PREFIX]
    Replace [BUCKET_NAME] with the name of your bucket and [LOG_BUCKET_NAME] with the name of the bucket where you want to store the logs. [PREFIX] is an optional parameter that allows you to specify a prefix for the log object names.
  5. Verify that logging has been enabled for the bucket by running the following command: 
    gsutil logging get gs://[BUCKET_NAME]
    This command will display the current logging configuration for the bucket.
  6. You can also view the logs in the log bucket by running the following command: 
    gsutil ls gs://[LOG_BUCKET_NAME]/[PREFIX]
    This command will list all the log files that have been generated for the specified bucket.
With these steps, you have successfully enabled bucket logging for your GCP bucket using GCP CLI.
To remediate the misconfiguration “Bucket Logging Should Be Enabled” in GCP using Python, you can follow the below steps:
  1. Import the required libraries:
from google.cloud import storage
  1. Set the project ID and bucket name:
project_id = 'your_project_id'
bucket_name = 'your_bucket_name'
  1. Create a client object of the storage bucket:
storage_client = storage.Client(project=project_id)
bucket = storage_client.get_bucket(bucket_name)
  1. Set the bucket’s logging configuration:
bucket.logging = {'logBucket': 'your_logging_bucket_name', 'logObjectPrefix': 'your_log_object_prefix'}
bucket.patch()
  1. Verify the logging configuration by checking the bucket’s logging properties:
bucket.reload()
print(bucket.logging)
The above steps will enable bucket logging for the specified GCP bucket. You can run this Python script as a standalone script or integrate it into your infrastructure as code pipeline.

Additional Reading: