google.bigtable.admin.v2.BigtableTableAdmin.ModifyColumnFamilies

​

Event Information

• The google.bigtable.admin.v2.BigtableTableAdmin.ModifyColumnFamilies event in GCP for Bigtable refers to a modification made to the column families of a Bigtable table.
• This event indicates that changes have been made to the structure or configuration of the column families within a Bigtable table.
• It could involve adding, modifying, or deleting column families, as well as adjusting their properties such as compression, garbage collection rules, or timestamps.

​

Examples

1. Unauthorized modification of column families: If security is impacted with google.bigtable.admin.v2.BigtableTableAdmin.ModifyColumnFamilies, it could potentially allow unauthorized users to modify the column families within a Bigtable instance. This could lead to unauthorized access to sensitive data or the introduction of malicious code.

2. Data integrity risks: Unauthorized modification of column families can also result in data integrity risks. If an attacker gains access to modify column families, they could potentially alter or delete data within the Bigtable instance, leading to data corruption or loss.

3. Compliance violations: Unauthorized modification of column families can also lead to compliance violations. If sensitive data is modified or deleted without proper authorization, it can result in non-compliance with data protection regulations such as GDPR or HIPAA. This can lead to legal and financial consequences for the organization.

​

Remediation

​

Using Console

1. Enable VPC Service Controls:

   • Go to the GCP Console and navigate to the VPC Service Controls page.
   • Click on “Create Perimeter” and provide a name for the perimeter.
   • Select the project where your Bigtable instance is located.
   • Choose the desired VPC network and subnet for the perimeter.
   • Click on “Create” to create the perimeter.
   • Once the perimeter is created, click on “Add Access Level” to define the access level for Bigtable.
   • Select the Bigtable API and choose the desired access level.
   • Click on “Add Access Level” to save the access level.
   • Finally, click on “Attach” to attach the perimeter to the project.

2. Implement IAM Roles and Permissions:

   • Go to the IAM & Admin page in the GCP Console.
   • Select the project where your Bigtable instance is located.
   • Click on “Add” to add a new member to the project.
   • Enter the email address of the user or service account that needs access to Bigtable.
   • Select the appropriate IAM role for the user or service account (e.g., Bigtable Admin, Bigtable User).
   • Click on “Save” to grant the IAM role to the user or service account.

3. Configure Firewall Rules:

   • Go to the VPC Network page in the GCP Console.
   • Select the VPC network where your Bigtable instance is located.
   • Click on “Firewall Rules” and then click on “Create Firewall Rule”.
   • Provide a name for the firewall rule and specify the source IP ranges that should have access to Bigtable.
   • Set the target to “All instances in the network” or specify the specific instances that should have access.
   • Choose the appropriate protocols and ports for Bigtable (e.g., TCP, port 443).
   • Click on “Create” to create the firewall rule.

Note: These instructions assume that you have the necessary permissions to perform these actions in the GCP Console. Make sure to review and adjust the settings based on your specific requirements and security policies.

​

Using CLI

To remediate the issues mentioned in the previous response for GCP Bigtable using GCP CLI, you can follow these steps:

1. Enable audit logging for GCP Bigtable:

   • Use the following command to enable audit logging for Bigtable:

     gcloud logging sinks create [SINK_NAME] bigtable.googleapis.com/projects/[PROJECT_ID]/instances/[INSTANCE_ID] --log-filter='resource.type="bigtable_instance"'
     

   • Replace [SINK_NAME] with a name for the sink, [PROJECT_ID] with your GCP project ID, and [INSTANCE_ID] with the ID of your Bigtable instance.

2. Implement VPC Service Controls for Bigtable:

   • Create a VPC Service Controls perimeter for Bigtable using the following command:

     gcloud access-context-manager perimeters create [PERIMETER_NAME] --resources=bigtable.googleapis.com/projects/[PROJECT_ID]/instances/[INSTANCE_ID] --restricted-services=bigtable.googleapis.com
     

   • Replace [PERIMETER_NAME] with a name for the perimeter.

3. Enable encryption at rest for Bigtable:

   • Use the following command to enable encryption at rest for Bigtable:

     gcloud beta bigtable instances update [INSTANCE_ID] --cluster=[CLUSTER_ID] --encryption-at-rest-state=ENABLED
     

   • Replace [INSTANCE_ID] with the ID of your Bigtable instance and [CLUSTER_ID] with the ID of your Bigtable cluster.

Note: Make sure to authenticate with the appropriate GCP credentials before running these commands.

​

Using Python

To remediate the issues mentioned in the previous response for GCP Bigtable using Python, you can follow these steps:

1. Enable VPC Service Controls:
   • Use the google-cloud-bigtable library in Python to create a new Bigtable instance.
   • Set the location_id parameter to specify the location of the instance.
   • Enable VPC Service Controls by setting the enable_vpc_service_controls parameter to True while creating the instance.

from google.cloud import bigtable

project_id = 'your-project-id'
instance_id = 'your-instance-id'
location_id = 'your-location-id'

client = bigtable.Client(project=project_id, admin=True)
instance = client.instance(instance_id, location_id=location_id, enable_vpc_service_controls=True)
instance.create()

2. Implement IAM Roles and Permissions:
   • Use the google-cloud-iam library in Python to manage IAM roles and permissions for Bigtable.
   • Use the google.cloud.iam.Policy class to get the existing IAM policy for the Bigtable instance.
   • Add or remove the necessary roles and permissions using the add_binding() and remove_role() methods.
   • Set the updated IAM policy using the set_policy() method.

from google.cloud import iam

project_id = 'your-project-id'
instance_id = 'your-instance-id'

client = iam.IAMClient()
policy = client.get_policy(request={"resource": f"projects/{project_id}/instances/{instance_id}"})

# Add a new role to the policy
policy.add_binding(role="roles/bigtable.reader", members=["user:[email protected]"])

# Remove an existing role from the policy
policy.remove_role(role="roles/bigtable.admin")

# Set the updated policy
client.set_policy(request={"resource": f"projects/{project_id}/instances/{instance_id}", "policy": policy})

3. Implement Audit Logging:
   • Use the google-cloud-logging library in Python to enable audit logging for Bigtable.
   • Create a new sink using the google.cloud.logging.Sink class and specify the destination for the logs.
   • Set the filter to include only the relevant Bigtable logs.
   • Create the sink using the create() method.

from google.cloud import logging

project_id = 'your-project-id'
sink_name = 'your-sink-name'
destination = 'your-destination'

client = logging.Client(project=project_id)
sink = client.sink(sink_name, filter_='logName:"projects/{project_id}/logs/cloudaudit.googleapis.com%2Fdata_access"')
sink.destination = destination
sink.create()

Please note that you need to replace the placeholders (your-project-id, your-instance-id, your-location-id, your-sink-name, your-destination) with the actual values specific to your GCP environment.