Enforce Detailed Audit Logging Mode
More Info:
Ensure that “Google Cloud Platform - Detailed Audit Logging Mode” policy is enforced at the organization level in order to enable Detailed Audit Logging feature for the supported Cloud Storage resources available within your GCP organization.Risk Level
MediumAddress
Operational Maturity, Reliability, SecurityCompliance Standards
CISGCP, CBP, GDPR, HIPAA, ISO27001Triage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration of not enforcing detailed audit logging mode in GCP, you can follow the steps below using the GCP console:
- Log in to your Google Cloud Console.
- Navigate to the “Logging” page by clicking on the hamburger menu on the top left corner of the page and selecting “Logging” under the “TOOLS” section.
- Click on “Log Router” on the left-hand side of the page.
- Click on “Create Sink” at the top of the page.
- In the “Create Sink” page, enter a name for the sink in the “Name” field.
- In the “Sink Service” field, select the service you want to enable detailed audit logging for. For example, you can select “Cloud Storage”.
- In the “Sink Destination” field, select “BigQuery” or “Cloud Pub/Sub” as the destination for the logs.
- In the “Sink Filter” field, enter the filter expression to specify the logs you want to collect. For example, you can enter “protoPayload.serviceName=storage.googleapis.com” to collect logs related to Cloud Storage.
- Click on “Create Sink” to create the sink.
- Repeat steps 4 to 9 for each service you want to enable detailed audit logging for.
Using CLI
Using CLI
To remediate the misconfiguration “Enforce Detailed Audit Logging Mode” for GCP using GCP CLI, follow these steps:Note: Replace This command should return the configuration details for audit logging.This command will enable enforced audit logging mode for all services in the current project.This command should return the configuration details for enforced audit logging mode.
- Open the Cloud Shell in the GCP Console.
- Run the following command to enable audit logging for all services in the current project:
[PROJECT_ID] with the ID of your GCP project and [USER_EMAIL] with the email address of the user who should be exempted from audit logging.- Run the following command to verify that audit logging is enabled:
- Run the following command to enable enforced audit logging mode:
- Run the following command to verify that enforced audit logging mode is enabled:
- Verify that audit logs are being generated for all services in the project by checking the audit logs in the Logging console.
Using Python
Using Python
To remediate the misconfiguration “Enforce Detailed Audit Logging Mode” in GCP using Python, you can follow the below steps:Step 1: Install the necessary packagesStep 2: Set the project ID and the log sink nameStep 3: Create a client object for the Logging APIStep 4: Create a sink filter to include all audit logsStep 5: Create a sink object with the filter and destinationStep 6: Create or update the sink in the projectStep 7: Verify that the sink is created and that audit logs are being exportedThis will create or update the sink in the project and start exporting all audit logs to BigQuery. You can verify that the sink is created and that audit logs are being exported by checking the output of the
list_sinks method.