Audit Configuration Change Log Alerts Should Be Enabled
More Info:
Ensures that logging and log alerts exist for audit configuration changes. Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, CISGCP, CBP, HITRUST, GDPR, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” on GCP using the GCP console, you can follow these steps:
- Open the GCP console and navigate to the Cloud Logging page.
- Click on “Logs-based Metrics” in the left-hand menu.
- Click on “Create Metric” to create a new metric.
-
Give your metric a name and description, and set the filter to the following:
This filter will match any changes to the IAM policy for your project.
- Under “Configuration”, select “Create Alert from Metric”.
- Configure your alert as desired, including the notification channels you want to use.
- Save your alert.
Using CLI
Using CLI
To remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using GCP CLI, please follow the below steps:Note: Replace
- Open the GCP Cloud console and navigate to the Security Command Center.
- Click on the “Security Health Analytics” tab and select “Audit Configuration Change Log Alerts” from the list of security checks.
- If the check is failed, click on the “Remediate” button.
- In the “Remediation” dialog box, select the “GCP CLI” option.
- Open the Cloud Shell in the GCP console.
- Run the following command to enable the audit configuration change log alerts:
[SINK_NAME] with a name for the sink and [BUCKET_NAME] with the name of the destination bucket.- After running the above command, verify that the audit configuration change log alerts are enabled by running the following command:
- Check the output of the above command to ensure that the “logFilter” parameter is set to
resource.type="audited_resource" AND protoPayload.methodName="google.cloud.audit.AuditLogService.UpdateConfig".
Using Python
Using Python
To remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using Python, you can follow these steps:This should remediate the misconfiguration “Audit Configuration Change Log Alerts Should Be Enabled” for GCP using Python.
- Install the Google Cloud SDK and authenticate with your GCP account using the following command:
- Install the required Python libraries using the following command:
- Create a new Python script and import the required libraries:
- Create a service account with the necessary permissions to access the logs using the GCP Console.
- Create a credentials object using the service account key file:
- Create a Logging client object:
- Retrieve the current configuration for the project’s logging sink:
- Modify the configuration to enable audit configuration change log alerts:
- Verify that the configuration has been updated by checking the sink’s properties: