Google Cloud Logging

Audit Logging Not Configured Properly

Risk Level: Medium

Description

This plugin ensures that the Cloud Audit Logging is configured to track all admin activities and read, write access to user data. Cloud Audit Logging maintains two audit logs for each project, folder, and organization: Admin Activity and Data Access. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources and Data Access audit logs record API calls that create, modify, or read user-provided data.

About the Service

Google Cloud Logging:

Cloud Logging is a fully managed service that allows you to store, search, analyze, monitor, and alert on logging data and events from Google Cloud and Amazon Web Services. Logging lets you read and write log entries, query your logs, and control how you route and use your logs. Log-based metrics are based on the content of log entries. For example, the metrics can record the number of log entries containing particular messages, or they can extract latency information reported in log entries. You can use log-based metrics in Cloud Monitoring charts and alerting policies. To know more about GCP Cloud Load Balancing click here.

Impact

The default audit logs should be configured to log all admin activities and write and read access to data for all services.

Steps to Reproduce

Using GCP Console-

In order to check if the default audit logging is properly configured to log all admin activities, including read, write access, follow the steps mentioned below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under the All Products Section, click on it.
  4. Under IAM & Admin section, click on the Audit Logs button. Thence, a new IAM Page will appear.
  5. An Audit Logs page will appear on the screen. Click on the Default Audit Config option present at the top.
  6. A Default Audit Config Page will appear. If the Admin Read, Data Read, and Data Write options are unmarked, then the default audit logging is not enabled on the GCP Project.
  7. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.

Steps for Remediation

Using GCP Console-

In order to ensure if the default audit logging is properly configured to log all admin activities, including read, write access, follow the steps mentioned below:

  1. Firstly, use the administrator account for signing up to Google Cloud Platform Console.
  2. Now, from the top navigation bar, select the GCP Project you want to investigate in.
  3. From the Navigation Menu on the left, you may find IAM & Admin section under the All Products Section, click on it.
  4. Under IAM & Admin section, click on the Audit Logs button. Thence, a new IAM Page will appear.
  5. An Audit Logs page will appear on the screen. Click on the Default Audit Config option present at the top.
  6. A Default Audit Config Page will appear. If the Admin Read, Data Read, and Data Write options are unmarked, then the default audit logging is not enabled on the GCP Project.
  7. Now, you need to tick mark the unmarked options i.e. Admin Read, Data Read, and Data Write options. It is mandatory to mark all the options in order to ensure audit logging is properly configured.
  8. Click on the Save button present at the bottom of the page. 
  9. You may repeat the above-mentioned steps to check for the other GCP projects/folders in your organization.