Event Information

  • The google.bigtable.admin.v2.BigtableTableAdmin.DeleteBackup event in GCP for Bigtable indicates that a backup of a Bigtable table has been deleted.
  • This event is triggered when a user or an automated process initiates the deletion of a backup.
  • The event provides information about the backup that was deleted, such as the backup ID and the name of the table from which the backup was taken.

Examples

  1. Unauthorized deletion: If proper access controls and permissions are not in place, an attacker could potentially delete backups using the google.bigtable.admin.v2.BigtableTableAdmin.DeleteBackup method. This could result in permanent data loss and compromise the integrity of the system.
  2. Data leakage: If an unauthorized user gains access to the google.bigtable.admin.v2.BigtableTableAdmin.DeleteBackup method, they could potentially delete backups containing sensitive data. This could lead to data leakage and violation of compliance regulations, such as GDPR or HIPAA.
  3. Denial of service: If an attacker gains access to the google.bigtable.admin.v2.BigtableTableAdmin.DeleteBackup method, they could potentially delete backups as a form of sabotage. This could result in a denial of service, impacting the availability and reliability of the Bigtable service.

Remediation

Using Console

  1. Enable VPC Service Controls:
    • Go to the GCP Console and navigate to the VPC Service Controls page.
    • Click on “Create Perimeter” and provide a name for the perimeter.
    • Select the project where your Bigtable instance is located.
    • Choose the desired VPC network and subnet for the perimeter.
    • Click on “Create” to create the perimeter.
    • Once the perimeter is created, click on “Add Access Level” to define the access level for Bigtable.
    • Select the Bigtable API and choose the desired access level.
    • Click on “Add Access Level” to save the access level.
    • Finally, click on “Attach” to attach the perimeter to the project.
  2. Enable Audit Logging:
    • Go to the GCP Console and navigate to the Bigtable instance page.
    • Click on the instance name to open the instance details.
    • In the left navigation menu, click on “Audit Logs”.
    • Click on “Enable Audit Logs” and choose the desired log sink.
    • Select the log sink destination and click on “Enable” to enable audit logging for the Bigtable instance.
  3. Implement IAM Roles and Permissions:
    • Go to the GCP Console and navigate to the IAM & Admin page.
    • Click on “IAM” to open the IAM page.
    • Click on “Add” to add a new member.
    • Enter the email address of the user or service account that needs access to Bigtable.
    • Select the desired role for the user or service account (e.g., Bigtable Admin, Bigtable User).
    • Click on “Save” to save the changes.
    • Repeat the above steps for each user or service account that needs access to Bigtable.
Note: These instructions assume that you have the necessary permissions to perform the actions mentioned.

Using CLI

To remediate the issues mentioned in the previous response for GCP Bigtable using GCP CLI, you can follow these steps:
  1. Enable audit logging for GCP Bigtable:
    • Use the following command to enable audit logging for Bigtable: 
      gcloud logging sinks create [SINK_NAME] bigtable.googleapis.com/projects/[PROJECT_ID]/instances/[INSTANCE_ID] --log-filter='resource.type="bigtable_instance"'
    • Replace [SINK_NAME] with a name for the sink, [PROJECT_ID] with your GCP project ID, and [INSTANCE_ID] with the ID of your Bigtable instance.
  2. Implement VPC Service Controls for Bigtable:
    • Create a VPC Service Controls perimeter for Bigtable using the following command: 
      gcloud access-context-manager perimeters create [PERIMETER_NAME] --resources=bigtable.googleapis.com/projects/[PROJECT_ID]/instances/[INSTANCE_ID] --restricted-services=bigtable.googleapis.com
    • Replace [PERIMETER_NAME] with a name for the perimeter.
  3. Enable encryption at rest for Bigtable:
    • Use the following command to enable encryption at rest for Bigtable: 
      gcloud beta bigtable instances update [INSTANCE_ID] --cluster=[CLUSTER_ID] --encryption-at-rest-state=ENABLED
    • Replace [INSTANCE_ID] with the ID of your Bigtable instance and [CLUSTER_ID] with the ID of your Bigtable cluster.
Please note that the above commands are examples and may need to be modified based on your specific GCP setup and requirements.

Using Python

To remediate the issues mentioned in the previous response for GCP Bigtable using Python, you can follow these steps:
  1. Enable VPC Service Controls:
    • Use the google-cloud-bigtable library in Python to create a new Bigtable instance.
    • Set the location_id parameter to specify the location of the instance.
    • Enable VPC Service Controls by setting the enable_vpc_service_controls parameter to True while creating the instance.
from google.cloud import bigtable

project_id = 'your-project-id'
instance_id = 'your-instance-id'
location_id = 'your-location-id'

client = bigtable.Client(project=project_id, admin=True)
instance = client.instance(instance_id, location_id=location_id, enable_vpc_service_controls=True)
instance.create()
  1. Implement IAM Roles and Permissions:
    • Use the google-cloud-iam library in Python to manage IAM policies for Bigtable.
    • Use the Policy class to create a new policy object.
    • Add the necessary bindings to the policy object to grant appropriate roles and permissions to users or service accounts.
from google.cloud import iam

project_id = 'your-project-id'
instance_id = 'your-instance-id'

client = iam.IAMClient()
policy = client.get_policy(request={"resource": f"projects/{project_id}/instances/{instance_id}"})

# Add bindings to the policy object
policy.bindings.add(role="roles/bigtable.reader", members=["user:[email protected]"])
policy.bindings.add(role="roles/bigtable.admin", members=["serviceAccount:[email protected]"])

# Update the policy
client.set_policy(request={"resource": f"projects/{project_id}/instances/{instance_id}", "policy": policy})
  1. Implement Audit Logging:
    • Use the google-cloud-logging library in Python to enable audit logging for Bigtable.
    • Create a new logger and set the appropriate log level and filters.
    • Use the logger to log relevant events and actions within your Bigtable application.
import logging

project_id = 'your-project-id'
log_name = 'your-log-name'

logger = logging.getLogger(log_name)
logger.setLevel(logging.INFO)

# Log an event
logger.info('An action was performed in Bigtable.')

# Log an error
logger.error('An error occurred in Bigtable.')
Please note that the above code snippets are just examples and may need to be modified based on your specific requirements and environment setup.