google.spanner.admin.database.v1.DatabaseAdmin.CreateDatabase

​

Event Information

• The google.spanner.admin.database.v1.DatabaseAdmin.CreateDatabase event in GCP for CloudSpanner signifies the creation of a new database within the CloudSpanner service.
• This event indicates that a user or application has initiated the process of creating a new database in CloudSpanner.
• The event provides information about the database name, instance name, and other relevant details required for creating and configuring the database.

​

Examples

1. Insufficient access controls: If security is impacted with the google.spanner.admin.database.v1.DatabaseAdmin.CreateDatabase operation in GCP CloudSpanner, it could be due to insufficient access controls. For example, if the user or service account performing the operation has overly permissive IAM roles or permissions, it could lead to unauthorized creation of databases or potential data breaches.

2. Inadequate encryption: Another security impact could be related to inadequate encryption practices. If the CreateDatabase operation does not enforce encryption at rest for the newly created database, sensitive data could be exposed in case of unauthorized access or data leakage.

3. Lack of auditing and monitoring: The absence of proper auditing and monitoring mechanisms for the CreateDatabase operation can also impact security. Without comprehensive logging and monitoring, it becomes difficult to detect and respond to any unauthorized or malicious activities related to database creation, potentially leading to security breaches or data loss.

​

Remediation

​

Using Console

1. Enable VPC Service Controls:

   • Go to the GCP Console and navigate to the CloudSpanner instance.
   • Click on the “Edit” button to modify the instance settings.
   • Scroll down to the “VPC Service Controls” section and click on “Enable VPC Service Controls”.
   • Follow the prompts to configure the VPC Service Controls for the CloudSpanner instance.
   • Save the changes.

2. Implement IAM Roles and Permissions:

   • Go to the GCP Console and navigate to the CloudSpanner instance.
   • Click on the “Permissions” tab to manage IAM roles and permissions.
   • Click on “Add Member” to add the desired user or service account.
   • Select the appropriate IAM role(s) for the user or service account.
   • Click on “Save” to apply the changes.

3. Enable Audit Logging:

   • Go to the GCP Console and navigate to the CloudSpanner instance.
   • Click on the “Edit” button to modify the instance settings.
   • Scroll down to the “Audit Logging” section and click on “Enable Audit Logging”.
   • Select the desired audit logs to be enabled (e.g., Admin Activity, Data Access, System Event logs).
   • Save the changes.

Note: These steps may vary slightly depending on the specific version of the GCP Console and CloudSpanner. It is always recommended to refer to the official GCP documentation for the most up-to-date instructions.

​

Using CLI

To remediate the issues mentioned in the previous response for GCP CloudSpanner using GCP CLI, you can follow these steps:

1. Enable VPC Service Controls for CloudSpanner:

   • Use the following command to enable VPC Service Controls for CloudSpanner:

     gcloud services vpc-peerings update --service=servicenetworking.googleapis.com --network=projects/[PROJECT_ID]/global/networks/[NETWORK_NAME] --ranges=[IP_RANGE]
     

   • Replace [PROJECT_ID] with your GCP project ID, [NETWORK_NAME] with the name of your VPC network, and [IP_RANGE] with the IP range of your VPC network.

2. Implement IAM Roles and Permissions:

   • Use the following command to grant the necessary IAM roles to the appropriate users or service accounts:

     gcloud projects add-iam-policy-binding [PROJECT_ID] --member=[MEMBER] --role=[ROLE]
     

   • Replace [PROJECT_ID] with your GCP project ID, [MEMBER] with the email address or service account of the user, and [ROLE] with the desired IAM role.

3. Enable Audit Logging for CloudSpanner:

   • Use the following command to enable audit logging for CloudSpanner:

     gcloud logging sinks create [SINK_NAME] storage.googleapis.com/[BUCKET_NAME] --log-filter="resource.type=spanner_instance"
     

   • Replace [SINK_NAME] with a name for your logging sink, and [BUCKET_NAME] with the name of the Cloud Storage bucket where you want to store the logs.

Please note that the above commands are examples and may need to be modified based on your specific environment and requirements. Make sure to refer to the official GCP documentation for detailed instructions and additional options.

​

Using Python

To remediate the issues mentioned in the previous response for GCP CloudSpanner using Python, you can follow these steps:

1. Enable VPC Service Controls:

   • Use the google-cloud-securitycenter library to enable VPC Service Controls for CloudSpanner.
   • You can use the update_organization_settings method to update the organization settings and enable VPC Service Controls.
   • Here’s an example Python script:

   from google.cloud import securitycenter
   
   client = securitycenter.SecurityCenterClient()
   
   organization_settings = client.get_organization_settings(name="organizations/{organization_id}")
   organization_settings.enable_vpc_service_controls = True
   
   client.update_organization_settings(organization_settings=organization_settings)
   

2. Implement IAM Roles and Permissions:

   • Use the google-cloud-iam library to manage IAM roles and permissions for CloudSpanner.
   • You can use the add_iam_policy_binding method to add IAM policy bindings to grant appropriate roles and permissions.
   • Here’s an example Python script:

   from google.cloud import iam
   
   client = iam.IAMClient()
   
   policy = client.get_policy(request={"resource": "projects/{project_id}"})
   
   policy.bindings.add(
       role="roles/cloudspanner.admin",
       members=["user:{user_email}"]
   )
   
   client.set_policy(request={"resource": "projects/{project_id}", "policy": policy})
   

3. Implement Audit Logging:

   • Use the google-cloud-logging library to enable audit logging for CloudSpanner.
   • You can use the update_sink method to create or update a log sink to export audit logs to a desired destination.
   • Here’s an example Python script:

   from google.cloud import logging
   
   client = logging.Client()
   
   sink = client.sink("cloudspanner-audit-logs")
   
   sink.filter = 'logName:"projects/{project_id}/logs/cloudaudit.googleapis.com%2Factivity"'
   sink.destination = "pubsub.googleapis.com/projects/{project_id}/topics/{topic_id}"
   
   sink.create()
   

Please note that the above scripts are just examples and may need to be modified based on your specific requirements and environment setup.