Google Cloud Storage

Bucket Logging Disabled

Ensures that object logging is enabled on storage buckets.

Risk Level: Medium

Description

This plugin ensures that object logging is enabled on storage buckets. Google Cloud Storage lets you download and view your object logs when enabled on the storage buckets. These logs provide information about the storage consumption and requests made on a specific bucket on a timely basis.

About the Service

Google Cloud Storage:

Google Cloud Storage is a service that provides dependable and secure storage classes for any workload, allowing users to select cost-effective storage alternatives based on their requirements. You can effortlessly move data to Cloud storage and benefit from its strong security and scalability features. To know more, read here

Impact

Without bucket logging, you will not be able to view the information related to the storage consumption of the buckets or any requests made on your buckets. This puts you at a significant disadvantage in the event of a security breach because you won't be able to examine or analyze the logs.

Steps to Reproduce

Note: Bucket logging can only be accessed through the GCP Command Line Interface (CLI). If you don’t have the gsutil tool, check the Google Cloud Documentation using the link here

Using GCP CLI-

  • Using your account credentials, configure the GCP CLI if you haven’t already.
  • To check if your bucket has logging enabled, run the following command:
gsutil logging get gs://example-bucket
  • If logging is enabled, an output similar to the one below will be displayed. This output consists of the logging configuration for the bucket. 
{"logBucket": "example-logs-bucket", "logObjectPrefix": "log_object_prefix"}
  • If logging is not enabled, an output similar to the one below will be displayed.
gs://example-bucket/ has no logging configuration.
  • Repeat steps for all the buckets you want to investigate.

Steps for Remediation

Determine whether or not you truly require bucket logging to be disabled. If not, make the necessary changes to enable it using the steps below.


Using GCP CLI-

  • Using your account credentials, configure the GCP CLI if you haven’t already.

  • Using the following command, create a bucket to store your logs:
gsutil mb gs://example-logs-bucket
  • To give the authorization to produce and store logs as new objects, assign the roles/storage.legacyBucketWriter role for the bucket to Cloud Storage using the following command:

gsutil iam ch group:cloud-storage-analytics@google.com:legacyBucketWriter gs://example-logs-bucket

  • Finally, enable logging for the desired bucket using the following command:
    (If you do not know which bucket has logging disabled, follow the Steps to Reproduce to find out)
gsutil logging set on -b gs://example-logs-bucket [-o log_object_prefix ] gs://example-bucket
  • Repeat steps for all the buckets you want to reconfigure.