Event Information

  • The google.firestore.admin.v1.FirestoreAdmin.ExportDocuments event in GCP for Firestore indicates that a document export operation is being performed in Firestore.
  • This event is triggered when Firestore data is being exported to a specified destination, such as Cloud Storage or BigQuery.
  • It signifies that the Firestore data is being backed up or transferred to another system for further analysis or storage purposes.

Examples

  • Unauthorized access: If the necessary access controls are not properly configured, an attacker may be able to gain unauthorized access to the Firestore data being exported. This can lead to data breaches and compromise the security of sensitive information.

  • Data leakage: If the exported Firestore documents are not encrypted during transit or at rest, there is a risk of data leakage. This can occur if the data is intercepted during transmission or if the storage where the exported documents are stored is compromised.

  • Compliance violations: If the exported Firestore documents contain sensitive or regulated data, such as personally identifiable information (PII) or financial information, the export process must comply with relevant compliance standards. Failure to do so can result in compliance violations and potential legal consequences.

Remediation

Using Console

To remediate the issues mentioned in the previous response for GCP Firestore using the GCP console, you can follow these step-by-step instructions:

  1. Enable VPC Service Controls:

    • Go to the GCP Console and navigate to the VPC Service Controls page.
    • Click on “Create Perimeter” and provide a name for the perimeter.
    • Select the project where your Firestore instance is located.
    • Choose the appropriate VPC network and subnet for the perimeter.
    • Add the necessary access levels and permissions for the perimeter.
    • Review the configuration and click on “Create” to enable VPC Service Controls.

  2. Implement IAM Roles and Permissions:

    • Go to the IAM & Admin section in the GCP Console.
    • Select the project where your Firestore instance is located.
    • Click on “IAM” and then “Add”.
    • Enter the email address of the user or service account that needs access to Firestore.
    • Choose the appropriate IAM role(s) based on the required level of access.
    • Click on “Save” to grant the roles and permissions to the user or service account.

  3. Enable Audit Logging:

    • Go to the GCP Console and navigate to the Firestore page.
    • Select the project and Firestore instance you want to enable audit logging for.
    • Click on “Edit” and scroll down to the “Audit Logging” section.
    • Enable the desired audit logs, such as Admin Read, Data Read, and Data Write.
    • Choose the destination for the logs, such as Cloud Storage or BigQuery.
    • Configure any additional settings, such as log retention period.
    • Click on “Save” to enable audit logging for Firestore.

Note: The exact steps may vary slightly based on the GCP Console interface and any specific configurations in your environment. It is recommended to refer to the official GCP documentation for detailed instructions.

Using CLI

To remediate the issues in GCP Firestore using GCP CLI, you can follow these steps:

  1. Enable audit logging:

    • Use the following command to enable audit logging for Firestore: 
      gcloud firestore databases patch [DATABASE_ID] --log-exclusion-names=cloudaudit.googleapis.com%2Factivity

  2. Implement VPC Service Controls:

    • Create a VPC Service Control perimeter using the following command: 
      gcloud access-context-manager perimeters create [PERIMETER_ID] --resources=projects/[PROJECT_ID]/locations/[LOCATION]/buckets/[BUCKET_NAME] --restricted-services=firestore.googleapis.com
    • Associate the VPC Service Control perimeter with the project using the following command: 
      gcloud access-context-manager perimeters update [PERIMETER_ID] --add-access-levels=[ACCESS_LEVEL_ID]

  3. Enable data encryption at rest:

    • Create a new Firestore instance with data encryption at rest enabled using the following command: 
      gcloud firestore instances create [INSTANCE_ID] --location=[LOCATION] --encryption-key-name=[KEY_NAME]

Note: Replace the placeholders ([DATABASE_ID], [PROJECT_ID], [LOCATION], [BUCKET_NAME], [PERIMETER_ID], [ACCESS_LEVEL_ID], [INSTANCE_ID], [KEY_NAME]) with the actual values specific to your environment.

Using Python

To remediate the issues mentioned in the previous response for GCP Firestore using Python, you can follow these steps:

  1. Enable Firestore Audit Logs:

    • Use the Google Cloud Python SDK to enable Firestore Audit Logs for your project.
    • You can use the google-cloud-logging library to create a sink that exports Firestore Audit Logs to Cloud Logging.
    • Here’s an example Python script to enable Firestore Audit Logs:
    from google.cloud import logging_v2

def enable_firestore_audit_logs(project_id, firestore_dataset):
    client = logging_v2.LoggingServiceV2Client()
    parent = f"projects/{project_id}"
    sink_name = f"{parent}/sinks/firestore-audit-logs"
    filter_expr = f'resource.type="cloud_firestore_database" AND log_name="projects/{project_id}/logs/cloudaudit.googleapis.com%2Factivity"'
    destination = f"bigquery.googleapis.com/projects/{project_id}/datasets/{firestore_dataset}"

    sink = {
        "name": sink_name,
        "filter": filter_expr,
        "destination": destination,
        "output_version_format": "V2",
    }

    response = client.create_sink(parent, sink)
    print(f"Firestore Audit Logs enabled: {response.name}")

enable_firestore_audit_logs("your-project-id", "your-firestore-dataset")

  2. Implement Access Controls:

    • Use the Google Cloud Python SDK to implement access controls for your Firestore database.
    • You can use the google-cloud-firestore library to define and enforce access rules.
    • Here’s an example Python script to create a Firestore document with access controls:
    from google.cloud import firestore

def create_document_with_access_controls(project_id, collection, document, data):
    db = firestore.Client(project=project_id)
    doc_ref = db.collection(collection).document(document)
    doc_ref.set(data)

create_document_with_access_controls("your-project-id", "your-collection", "your-document", {"key": "value"})

  3. Monitor and Alert on Suspicious Activities:

    • Use the Google Cloud Python SDK to monitor and alert on suspicious activities in Firestore.
    • You can use the google-cloud-logging library to query Firestore Audit Logs and send alerts based on specific criteria.
    • Here’s an example Python script to query Firestore Audit Logs and send an alert:
    from google.cloud import logging_v2

def query_and_alert_suspicious_activities(project_id):
    client = logging_v2.LoggingServiceV2Client()
    parent = f"projects/{project_id}"
    filter_expr = f'resource.type="cloud_firestore_database" AND log_name="projects/{project_id}/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.methodName="google.firestore.v1.Firestore.WriteDocument"'
    response = client.list_log_entries(parent, filter_=filter_expr)

    for entry in response:
        print(f"Suspicious activity detected: {entry.log_name}")

query_and_alert_suspicious_activities("your-project-id")

Please note that the provided Python scripts are just examples and may need to be customized based on your specific requirements and environment.