google.bigtable.admin.v2.BigtableTableAdmin.CreateBackup

​

Event Information

• The google.bigtable.admin.v2.BigtableTableAdmin.CreateBackup event in GCP for Bigtable indicates the initiation of a backup creation process for a Bigtable table.
• This event signifies that a user or an automated process has requested to create a backup of a specific Bigtable table.
• The event provides information about the table and the backup configuration, allowing administrators to track and monitor the backup creation process.

​

Examples

1. Unauthorized access: If security is impacted with google.bigtable.admin.v2.BigtableTableAdmin.CreateBackup in GCP for Bigtable, it could potentially allow unauthorized users to create backups of Bigtable tables. This could lead to unauthorized access to sensitive data stored in the tables, compromising the confidentiality and integrity of the data.

2. Data leakage: If security is impacted with google.bigtable.admin.v2.BigtableTableAdmin.CreateBackup in GCP for Bigtable, it could result in the creation of backups without proper access controls. This could potentially lead to data leakage if the backups are accessible to unauthorized users. Sensitive data could be exposed, violating data privacy regulations and putting the organization at risk.

3. Backup integrity: If security is impacted with google.bigtable.admin.v2.BigtableTableAdmin.CreateBackup in GCP for Bigtable, it could compromise the integrity of the backups. Unauthorized modifications or tampering with the backup files could result in the restoration of corrupted or compromised data. This could impact the reliability and availability of the data during disaster recovery scenarios.

​

Remediation

​

Using Console

1. Enable VPC Service Controls:

   • Go to the GCP Console and navigate to the VPC Service Controls page.
   • Click on “Create Perimeter” and provide a name for the perimeter.
   • Select the project where your Bigtable instance is located.
   • Choose the desired VPC network and subnet for the perimeter.
   • Click on “Create” to create the perimeter.
   • Once the perimeter is created, click on “Add Access Level” to define the access level for Bigtable.
   • Select the Bigtable API and choose the desired access level.
   • Click on “Add Access Level” to save the access level.
   • Finally, click on “Attach” to attach the perimeter to the project.

2. Enable Audit Logging:

   • Go to the GCP Console and navigate to the Bigtable instance page.
   • Select the instance for which you want to enable audit logging.
   • Click on “Edit” to edit the instance settings.
   • Scroll down to the “Audit Logging” section and click on “Enable”.
   • Choose the desired log sink, such as Cloud Storage or BigQuery.
   • Configure the log sink settings, such as the bucket or dataset name.
   • Click on “Save” to enable audit logging for the Bigtable instance.

3. Implement IAM Best Practices:

   • Go to the GCP Console and navigate to the IAM & Admin page.
   • Click on “IAM” to view the IAM roles and permissions.
   • Review the existing IAM roles and identify any unnecessary or overly permissive roles.
   • Remove any unnecessary roles or adjust the permissions of existing roles.
   • Create custom IAM roles if needed to provide more granular access control.
   • Assign the appropriate IAM roles to users or service accounts based on their responsibilities.
   • Regularly review and update the IAM roles and permissions to ensure least privilege access.

​

Using CLI

To remediate the issues mentioned in the previous response for GCP Bigtable using GCP CLI, you can follow these steps:

1. Enable audit logging for GCP Bigtable:

   • Use the following command to enable audit logging for Bigtable:

     gcloud logging sinks create [SINK_NAME] bigtable.googleapis.com/projects/[PROJECT_ID]/instances/[INSTANCE_ID] --log-filter='resource.type="bigtable_instance"'
     

   • Replace [SINK_NAME] with a name for the sink, [PROJECT_ID] with your GCP project ID, and [INSTANCE_ID] with the ID of your Bigtable instance.

2. Implement VPC Service Controls for Bigtable:

   • Create a VPC Service Controls perimeter for Bigtable using the following command:

     gcloud access-context-manager perimeters create [PERIMETER_NAME] --resources=bigtable.googleapis.com/projects/[PROJECT_ID]/instances/[INSTANCE_ID] --restricted-services=bigtable.googleapis.com
     

   • Replace [PERIMETER_NAME] with a name for the perimeter.

3. Enable encryption at rest for Bigtable:

   • Use the following command to enable encryption at rest for Bigtable:

     gcloud beta bigtable instances update [INSTANCE_ID] --cluster=[CLUSTER_ID] --encryption-at-rest-state=ENABLED
     

   • Replace [INSTANCE_ID] with the ID of your Bigtable instance and [CLUSTER_ID] with the ID of your Bigtable cluster.

Please note that the above commands are examples and may need to be modified based on your specific GCP setup and requirements.

​

Using Python

To remediate the issues mentioned in the previous response for GCP Bigtable using Python, you can follow these steps:

1. Enable VPC Service Controls:
   • Use the google-cloud-bigtable library in Python to create a new Bigtable instance.
   • Set the location_id parameter to specify the location of the instance.
   • Enable VPC Service Controls by setting the enable_vpc_service_controls parameter to True while creating the instance.

from google.cloud import bigtable

project_id = 'your-project-id'
instance_id = 'your-instance-id'
location_id = 'your-location-id'

client = bigtable.Client(project=project_id, admin=True)
instance = client.instance(instance_id, location_id=location_id, enable_vpc_service_controls=True)
instance.create()

2. Implement IAM Roles and Permissions:
   • Use the google-cloud-iam library in Python to manage IAM roles and permissions for Bigtable.
   • Use the google.cloud.iam.Policy class to get the existing IAM policy for the Bigtable instance.
   • Add or remove the necessary roles and permissions using the add_binding() and remove_role() methods.
   • Set the updated IAM policy using the set_policy() method.

from google.cloud import iam

project_id = 'your-project-id'
instance_id = 'your-instance-id'

client = iam.IAMClient()
policy = client.get_policy(request={"resource": f"projects/{project_id}/instances/{instance_id}"})

# Add a new role to the policy
policy.add_binding(role="roles/bigtable.reader", members=["user:[email protected]"])

# Remove an existing role from the policy
policy.remove_role(role="roles/bigtable.admin")

# Set the updated policy
client.set_policy(request={"resource": f"projects/{project_id}/instances/{instance_id}", "policy": policy})

3. Implement Audit Logging:
   • Use the google-cloud-logging library in Python to enable audit logging for Bigtable.
   • Create a new sink using the google.cloud.logging.Sink class and specify the destination for the logs.
   • Set the filter to include only the relevant Bigtable logs.
   • Create the sink using the create() method.

from google.cloud import logging

project_id = 'your-project-id'
sink_name = 'your-sink-name'
destination = 'your-destination'

client = logging.Client(project=project_id)
sink = client.sink(sink_name, filter_='logName:"projects/{project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"')
sink.destination = destination
sink.create()

Please note that you need to replace the placeholders (your-project-id, your-instance-id, your-location-id, your-sink-name, your-destination) with the actual values specific to your GCP environment.