GCP Logs Monitoring

Your Logging setup can grow exponentially along with your other services.

Following GCP Logging setup checks are performed at a configurable frequency

Network Route Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for VPC network route changes.

Network Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for VPC network changes.

Firewall Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for firewall rule changes.

SQL Configuration Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for SQL configuration changes. Project Ownership is the highest level of privilege on a project, any changes in SQL configurations should be heavily monitored to prevent unauthorized changes.

Project Ownership Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for project ownership assignments and changes. Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes.

Audit Configuration Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for audit configuration changes. Project Ownership is the highest level of privilege on a project, any changes in audit configuration should be heavily monitored to prevent unauthorized changes.

Storage Permissions Change Log Alerts Should Be Enabled

Ensures that logging and log alerts exist for storage permission changes. Storage permissions include access to the buckets that store the logs, any changes in storage permissions should be heavily monitored to prevent unauthorized changes.

Custom Role Change Log Alerts Should Be Enabled

Ensure that the log metric filter and alerts exist for Custom Role changes.

Cloud Audit Logging Should Be Enabled

Ensure that Cloud Audit Logging is configured properly across all services and all users from a project.

Sinks Should Be Configured For Log Entries

Ensure that sinks are configured for all log entries.

Log Buckets Should Have Retention Policies

Ensure that retention policies on log buckets are configured using Bucket Locks.

Cloud Sql Data Access Audit Logging Should Be Enabled

Ensure that Cloud SQL Data Access Logging is configured properly across all users from a project.

Cloud Sql Admin Activity Audit Logging Should Be Enabled

Ensure that Cloud SQL Admin Activity Audit Logging is configured properly across all projects.

Cloud Sql System Event Audit Logging Should Be Enabled

Ensure that Cloud SQL System Event Audit Logging is configured properly across all projects.

Ensure Cloud DNS Logging Is Enabled For All VPC Networks

Security monitoring and forensics cannot depend solely on IP addresses from VPC flow logs, especially when considering the dynamic IP usage of cloud resources, HTTP virtual host routing, and other technology that can obscure the DNS name used by a client from the IP address. Monitoring of Cloud DNS logs provides visibility to DNS names requested by the clients within the VPC. These logs can be monitored for anomalous domain names, evaluated against threat intelligence, and Note: For full capture of DNS, firewall must block egress UDP/53 (DNS) and TCP/443 (DNS over HTTPS) to prevent client from using external DNS name server for resolution.

Ensure Cloud Asset Inventory Is Enabled

The GCP resources and IAM policies captured by GCP Cloud Asset Inventory enables security analysis, resource change tracking, and compliance auditing.

Ensure Access Approval Is Enabled

Controlling access to your information is one of the foundations of information security. Google Employees do have access to your organizations' projects for support reasons. With Access Approval, organizations can then be certain that their information is accessed by only approved Google Personnel.