Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Data Access Audit Logs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

To ensure security, compliance, and effective troubleshooting, enable Data Access audit logs for your API Gateway APIs. API Gateway provides two main types of audit logs:

  • Admin Activity audit logs: These logs capture operations that modify the configuration or metadata of resources, such as updating or deleting APIs or API gateways. Admin Activity audit logs are enabled by default and cannot be turned off.
  • Data Access audit logs: These logs track operations not covered by Admin Activity logs. Data Access audit logs include the following sub-types:
    • - ADMIN_READ: Logs operations that read metadata or configuration information. This is useful for auditing who has read-only access to the configurations or settings of your API Gateway resources.
    • - DATA_READ: Logs operations that read user-provided data. This is useful for tracking read interactions with your API Gateway resources.
    • - DATA_WRITE: Logs operations that write user-provided data. This is critical for tracking changes to your API Gateway configuration and resources.
Unlike Admin Activity logs, Data Access audit logs are disabled by default and must be explicitly enabled.
Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling Data Access audit logs for API Gateway APIs is crucial for ensuring compliance, strengthening security, promoting accountability, and streamlining troubleshooting efforts. By actively monitoring and analyzing activity for your API Gateway resources, you can gain valuable insights that enable swift detection and response to potential security threats. In Google Cloud Platform (GCP), Data Access audit logs capture API calls that access resource configurations or metadata, along with user-initiated API calls that create, modify, or read data provided by users.

Audit

To determine if Data Access audit logs are enabled for your API Gateway APIs, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Cloud API Gateway API, and press Enter.

06 Select the Cloud API Gateway API service to show the info panel for the selected GCP service.

07 Choose the PERMISSION TYPES tab and check the log types configured for Cloud API Gateway API to determine what types of operations are recorded in your Data Access audit logs for the selected service. If Admin Read, Data Write, and Data Read log types are not enabled (i.e., the log type checkboxes are not selected), Data Access audit logs are disabled for your API Gateway APIs.

08 Repeat steps no. 2 – 7 for each project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the IAM policy created for the selected project. The project's IAM policy includes includes the auditConfigs configuration object, which contains the configuration parameters for Data Access audit logs. 

gcloud projects get-iam-policy cc-project5-123123
	--format="yaml(auditConfigs)"

04 The command output should return the IAM policy defined for the GCP project (including the auditConfigs object): 

auditConfigs:

- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: storage.googleapis.com

- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: compute.googleapis.com

If the projects get-iam-policy command output returns null, Data Access audit logs are not enabled for the Google Cloud services and APIs supported within the selected GCP project. If the command output returns the auditConfigs configuration object, as shown in the example above, audit logs are enabled for certain services and APIs. If ADMIN_READ, DATA_READ, and DATA_WRITE log types are not listed for service: apigateway.googleapis.com, Data Access audit logs are disabled for your API Gateway APIs.

05 Repeat steps no. 3 and 4 for each project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To enable Data Access audit logs for your API Gateway APIs, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Cloud API Gateway API, and press Enter.

06 Select the Cloud API Gateway API service to display the info panel for the selected GCP service.

07 Choose the PERMISSION TYPES tab, check the Admin Read, Data Write, and Data Read checkboxes, and choose SAVE to apply the changes. This will enable Data Access audit logs for all the API Gateway APIs available within the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Edit the IAM policy associated with your GCP project and add the "auditConfigs" object to the existing policy as configured below. Save the IAM policy document to a JSON file named cc-enable-data-access-audit-logs.json. If audit logs are already enabled for other GCP services, just add the "auditLogConfigs" object to the existing "auditConfigs". The example below demonstrates Data Access audit logs enabled exclusively for API Gateway APIs: 

"auditConfigs": [
	{
		"auditLogConfigs": [
			{
				"logType": "ADMIN_READ"
			},
			{
				"logType": "DATA_READ"
			},
			{
				"logType": "DATA_WRITE"
			}
		],
		"service": "apigateway.googleapis.com"
	}
]

02 Run projects set-iam-policy command (Windows/macOS/Linux) with the name of the GCP project that you want to configure as the identifier parameter, to update the associated IAM policy in order to enable Data Access audit logs for all the API Gateway APIs available in the selected GCP project: 

gcloud projects set-iam-policy cc-project5-123123 cc-enable-data-access-audit-logs.json

03 The command output should return the modified IAM policy document: 

Updated IAM policy for project [cc-project5-123123].
auditConfigs:
- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: apigateway.googleapis.com
bindings:
- members:
	- user:username@domain.com
	role: roles/apigateway.viewer
etag: abcdabcdabcd
version: 1

04 Repeat steps no. 1 – 3 for each GCP project available within your Google Cloud Platform (GCP) account.

References

Publication date Jan 16, 2025

Related APIGateway rules