Google Cloud Logging

Audit Logging Exempted Members

Risk Level: Medium

Description

This module guarantees that default review logging has no exempted members. The default review logs ought to be arranged to log all administrator exercises and compose and peruse admittance to information for all administrations. Furthermore, no absolved individuals ought to be added to the logs to guarantee legitimate conveyance of all review logs.

About the Service

Google Cloud Logging:

Cloud Logging is a fully managed service that allows you to store, search, analyze, monitor, and alert on logging data and events from Google Cloud and Amazon Web Services. Logging lets you read and write log entries, query your logs, and control how you route and use your logs. Log-based metrics are based on the content of log entries. For example, the metrics can record the number of log entries containing particular messages, or they can extract latency information reported in log entries. You can use log-based metrics in Cloud Monitoring charts and alerting policies. To know more about GCP Cloud Load Balancing click here.

Impact

The default audit logs should be configured to log all admin activities and write and read access to data for all services. In addition, no exempted members should be added to the logs to ensure the proper delivery of all audit logs. This plugin ensures that default audit logging has no exempted members. The default audit logs should be configured to log all admin activities and write and read access to data for all services. In addition, no exempted members should be added to the logs to ensure the proper delivery of all audit logs. A log sink with no filter is necessary to ensure that all logs are being properly sent. Thus, the recommended action for this is to ensure that the default audit logs are enabled to log all admin activities and write and read access to data for all services.

Steps to Reproduce

Using GCP Console-

In order to check, if there is any Exempted Member present, so as to ensure the proper delivery of all audit logs, follow the steps mentioned below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
  4. Under IAM & Admin section, click on the Audit Logs button. Thence, a new IAM Page will appear.
  5. An Audit Logs page will appear on the screen. Click on the Default Audit Config option present at the top.
  6. A Default Audit Config Page will appear. Click on the Exempted Users tab present after the Log Type tab.
     
  7. Check if there are any Exempted Users available.  If there is any Exempted Member present, then the proper delivery of all audit logs is not ensured. 
  8. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.

Steps for Remediation

Using GCP Console-

In order to ensure the proper delivery of all audit logs on the GCP Project, follow the steps mentioned below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under All Products Section, click on it.
  4. Under IAM & Admin section, click on the Audit Logs button. Thence, a new IAM Page will appear.
  5. An Audit Logs page will appear on the screen. Click on the Default Audit Config option present at the top.
  6. A Default Audit Config Page will appear. If there exists any Exempted Member in the Default audit Configuration, then delete those by clicking on the Delete icon present on the left of the screen. 
  7. Click on the Save button present at the bottom of the page. This will remove the exempted users and ensure the proper delivery of all audit logs on the GCP Project.
  8. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.