Event Information

  • The google.firestore.admin.v1.FirestoreAdmin.ImportDocuments event in GCP for Firestore refers to an event that is triggered when documents are imported into a Firestore database.
  • This event indicates that a bulk import operation has been performed on the Firestore database, where multiple documents have been added or updated.
  • It is useful for monitoring and tracking the import process, as well as for auditing and troubleshooting purposes.

Examples

  • Unauthorized access to the FirestoreAdmin.ImportDocuments API: If proper access controls are not in place, an attacker may be able to gain unauthorized access to the FirestoreAdmin.ImportDocuments API. This can lead to potential data breaches or unauthorized modifications to the Firestore database.
  • Insecure data transfer: If the data transfer process during the import of documents is not properly secured, sensitive data may be intercepted or tampered with during transit. This can result in data leakage or integrity issues.
  • Insufficient data validation: If the FirestoreAdmin.ImportDocuments API does not perform sufficient data validation, it may be vulnerable to injection attacks or other forms of data manipulation. This can lead to the execution of malicious code or unauthorized modifications to the Firestore database.

Remediation

Using Console

To remediate the issues mentioned in the previous response for GCP Firestore using the GCP console, you can follow these step-by-step instructions:
  1. Enable VPC Service Controls:
    • Go to the GCP Console and navigate to the VPC Service Controls page.
    • Click on “Create Perimeter” and provide a name for the perimeter.
    • Select the project where your Firestore instance is located.
    • Choose the appropriate VPC network and subnet for the perimeter.
    • Add the necessary access levels and permissions for the perimeter.
    • Review the configuration and click on “Create” to enable VPC Service Controls.
  2. Implement IAM Roles and Permissions:
    • Go to the IAM & Admin section in the GCP Console.
    • Select the project where your Firestore instance is located.
    • Click on “IAM” and then “Add”.
    • Enter the email address of the user or service account that needs access to Firestore.
    • Choose the appropriate IAM role(s) based on the required level of access.
    • Click on “Save” to grant the roles and permissions to the user or service account.
  3. Enable Audit Logging:
    • Go to the GCP Console and navigate to the Firestore page.
    • Select the project and Firestore instance you want to enable audit logging for.
    • Click on “Edit” and scroll down to the “Audit Logging” section.
    • Enable the desired audit logs, such as Admin Read, Data Read, and Data Write.
    • Choose the destination for the logs, such as Cloud Storage or BigQuery.
    • Review the configuration and click on “Save” to enable audit logging for Firestore.
Note: The exact steps may vary slightly based on the current GCP Console interface and any specific configurations in your environment. It is always recommended to refer to the official GCP documentation for the most up-to-date instructions.

Using CLI

To remediate the issues in GCP Firestore using GCP CLI, you can follow these steps:
  1. Enable audit logging:
    • Use the following command to enable audit logging for Firestore: 
      gcloud firestore databases patch [DATABASE_ID] --log-exclusion-names=cloudaudit.googleapis.com%2Factivity
    • Replace [DATABASE_ID] with the ID of your Firestore database.
  2. Implement VPC Service Controls:
    • Create a VPC Service Perimeter to restrict access to Firestore: 
      gcloud access-context-manager perimeters create [PERIMETER_NAME] --resources=projects/[PROJECT_ID]/locations/[LOCATION]/buckets/[BUCKET_NAME] --restricted-services=firestore.googleapis.com
    • Replace [PERIMETER_NAME], [PROJECT_ID], [LOCATION], and [BUCKET_NAME] with the appropriate values.
  3. Enable data encryption at rest:
    • Use the following command to enable data encryption at rest for Firestore: 
      gcloud firestore databases patch [DATABASE_ID] --location=[LOCATION] --enable-encryption
    • Replace [DATABASE_ID] and [LOCATION] with the appropriate values.
Note: Make sure you have the necessary permissions to execute these commands and replace the placeholders with the actual values specific to your GCP environment.

Using Python

To remediate the issues mentioned in the previous response for GCP Firestore using Python, you can follow these steps:
  1. Enable Firestore Audit Logs:
    • Use the Google Cloud Python SDK to enable Firestore Audit Logs for your project.
    • You can use the google-cloud-logging library to create a sink that exports Firestore Audit Logs to Cloud Logging.
    • Here’s an example Python script to enable Firestore Audit Logs:
    from google.cloud import logging_v2

def enable_firestore_audit_logs(project_id, firestore_dataset):
    client = logging_v2.LoggingServiceV2Client()
    parent = f"projects/{project_id}"
    sink_name = f"{parent}/sinks/firestore-audit-logs"
    filter_expr = f'resource.type="cloud_firestore_database" AND log_name="projects/{project_id}/logs/cloudaudit.googleapis.com%2Factivity"'
    destination = f"bigquery.googleapis.com/projects/{project_id}/datasets/{firestore_dataset}"

    sink = {
        "name": sink_name,
        "filter": filter_expr,
        "destination": destination,
        "output_version_format": "V2",
    }

    response = client.create_sink(parent, sink)
    print(f"Enabled Firestore Audit Logs with sink name: {response.name}")

enable_firestore_audit_logs("your-project-id", "your-firestore-dataset")
  2. Implement Access Controls:
    • Use the Google Cloud Python SDK to implement access controls for Firestore.
    • You can use the google-cloud-iam library to manage IAM policies for Firestore.
    • Here’s an example Python script to grant a user the roles/datastore.owner role for a Firestore database:
    from google.cloud import firestore
from google.cloud.iam_v1 import Policy

def grant_firestore_access(project_id, firestore_database, user_email):
    client = firestore.Client(project=project_id)
    database_path = f"projects/{project_id}/databases/{firestore_database}"
    policy = client.get_iam_policy(request={"resource": database_path})

    policy.bindings.add(
        role="roles/datastore.owner",
        members=[f"user:{user_email}"],
    )

    updated_policy = client.set_iam_policy(request={"resource": database_path, "policy": policy})
    print(f"Granted user {user_email} the roles/datastore.owner role for Firestore")

grant_firestore_access("your-project-id", "your-firestore-database", "[email protected]")
  3. Implement Data Encryption:
    • Use the Google Cloud Python SDK to implement data encryption for Firestore.
    • You can use the google-cloud-kms library to encrypt and decrypt Firestore data using Cloud KMS.
    • Here’s an example Python script to encrypt and decrypt a Firestore document:
    from google.cloud import firestore
from google.cloud import kms_v1

def encrypt_firestore_document(project_id, firestore_database, document_path, kms_key_name):
    client = firestore.Client(project=project_id)
    document_ref = client.document(firestore_database, document_path)
    document_data = document_ref.get().to_dict()

    kms_client = kms_v1.KeyManagementServiceClient()
    key_name = f"projects/{project_id}/locations/global/keyRings/{kms_key_name}/cryptoKeys/{kms_key_name}"
    plaintext = str(document_data).encode("utf-8")

    response = kms_client.encrypt(request={"name": key_name, "plaintext": plaintext})
    encrypted_data = response.ciphertext

    document_ref.set({"encrypted_data": encrypted_data})
    print(f"Encrypted Firestore document at {document_path}")

def decrypt_firestore_document(project_id, firestore_database, document_path, kms_key_name):
    client = firestore.Client(project=project_id)
    document_ref = client.document(firestore_database, document_path)
    document_data = document_ref.get().to_dict()

    kms_client = kms_v1.KeyManagementServiceClient()
    key_name = f"projects/{project_id}/locations/global/keyRings/{kms_key_name}/cryptoKeys/{kms_key_name}"
    ciphertext = document_data["encrypted_data"]

    response = kms_client.decrypt(request={"name": key_name, "ciphertext": ciphertext})
    decrypted_data = response.plaintext.decode("utf-8")

    print(f"Decrypted Firestore document at {document_path}: {decrypted_data}")

encrypt_firestore_document("your-project-id", "your-firestore-database", "your-document-path", "your-kms-key-name")
decrypt_firestore_document("your-project-id", "your-firestore-database", "your-document-path", "your-kms-key-name")
Please note that you need to replace the placeholders (your-project-id, your-firestore-dataset, your-firestore-database, [email protected], your-document-path, your-kms-key-name) with your actual values.