Storage Permissions Change Log Alerts Should Be Enabled
More Info:
Ensures that logging and log alerts exist for storage permission changes. Storage permissions include access to the buckets that store the logs, any changes in storage permissions should be heavily monitored to prevent unauthorized changes.Risk Level
MediumAddress
SecurityCompliance Standards
CISGCP, CBP, HIPAA, ISO27001, HITRUSTTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using GCP console, follow the below steps:
- Open the Google Cloud Console and select the project for which you want to enable storage permissions change log alerts.
- Navigate to the Cloud Storage page and select the bucket for which you want to enable the alerts.
- Click on the “Edit Bucket Details” button to open the bucket details page.
- Scroll down to the “Advanced Settings” section and click on the “Edit Bucket Permissions” button.
- In the “Bucket Permissions” window, click on the “Add Member” button.
- In the “Add members” window, enter the email address of the user or group that you want to receive the alerts.
- In the “Select a role” dropdown menu, select the “Storage Object Admin” role.
- Click on the “Save” button to add the member with the selected role.
- Now, click on the “Add Notification” button in the “Advanced Settings” section.
- In the “Add Notification” window, select the “Object Change” event type.
- In the “Filter” section, select the “All object changes” option.
- In the “Delivery” section, select the “Email” option and enter the email address of the user or group that you added in step 6.
- Click on the “Save” button to save the notification.
- Repeat steps 9 to 13 for each user or group that you want to receive the alerts.
- Once you have added all the necessary members and notifications, click on the “Save” button to save the changes.
Using CLI
Using CLI
To remediate the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using GCP CLI, you can follow the below steps:
- Open the GCP CLI terminal and authenticate with your GCP account using the following command:
- Check whether the Stackdriver Logging API is enabled or not using the following command:
If the Stackdriver Logging API is not enabled, then enable it using the following command:
- Create a sink to export logs to Cloud Pub/Sub using the following command:
Replace the
[SINK_NAME]with a name for the sink,[PROJECT_ID]with the ID of the GCP project, and[TOPIC_NAME]with the name of the Cloud Pub/Sub topic to export the logs to. - Grant the Cloud Pub/Sub Publisher role to the service account used by the sink using the following command:
Replace the
[PROJECT_ID]with the ID of the GCP project and[SINK_SERVICE_ACCOUNT]with the email address of the service account used by the sink. - Enable the sink using the following command:
Replace the
[SINK_NAME]with the name of the sink,[PROJECT_ID]with the ID of the GCP project, and[TOPIC_NAME]with the name of the Cloud Pub/Sub topic to export the logs to.
Using Python
Using Python
To remediate the misconfiguration “Storage Permissions Change Log Alerts Should Be Enabled” for GCP using Python, you can follow these steps:These steps will enable the storage permissions change log alerts for GCP using Python.
- Import the necessary libraries:
- Set up the client:
- Define the project ID:
- Define the log sink:
- Define the log filter:
- Define the log sink destination:
- Define the log sink configuration:
- Define the log sink resource:
- Create the log sink:
- Verify that the log sink was created successfully: