Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable data access audit logging for all critical service APIs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that data access audit logging is enabled for all critical service APIs in your Google Cloud project for security, compliance, and troubleshooting purposes. The critical service APIs that you can enable for your GCP project include but are not limited to Identity and Access Management (IAM) API (iam.googleapis.com), Compute Engine API (compute.googleapis.com), Cloud Storage (storage-component.googleapis.com), Google Cloud Pub/Sub API (pubsub.googleapis.com), Cloud Key Management Service (KMS) API (cloudkms.googleapis.com), and Cloud Logging API (logging.googleapis.com).

Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling data access audit logs for all critical service APIs within Google Cloud Platform (GCP) is essential for achieving compliance, enhancing security measures, establishing accountability, and facilitating efficient troubleshooting. By proactively monitoring and meticulously analyzing the activity occurring within your service APIs, you gain invaluable insights that empower you to swiftly identify and respond to potential security incidents. In Google Cloud, data access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.

Audit

To determine if data access audit logs are enabled for all critical service APIs within your GCP project, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin and select Audit Logs.

04 To check the data access audit log configuration for all the critical service APIs, select the maximum number of rows per page from the Rows per page dropdown menu available at the bottom of the page, then check the log types, i.e. the values in the Admin Read, Data Write, and Data Read columns, for each critical GCP service. (Optional) You can also use the Filter box at the top of the page to identify the titles of the audit logs that you are interested in. If the Admin Read, Data Write, and Data Read log types are not enabled for the verified service APIs listed on the page, data access audit logging is not enabled for all the critical service APIs in the selected GCP project, therefore the configuration of the audit logging feature is not compliant.

05 Repeat steps no. 2 – 4 for each project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each GCP project available within your Google Cloud account: 

gcloud projects list 
  --format="table(projectId)"

02 The command output should return the requested GCP project identifier(s): 

PROJECT_ID
  cc-web-app-project-112233
  cc-bigdata-project-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the IAM policy created for the selected project: 

gcloud projects get-iam-policy cc-web-app-project-112233 
  --format=json

04 The command output should return the IAM policy defined for the GCP project: 

{
	"bindings": [
		{
			"members": [
				"user:admin@trendmicro.com"
			],
			"role": "roles/owner"
		},
		{
			"members": [
				"serviceAccount:service-123456789012@container-engine-robot.iam.gserviceaccount.com"
			],
			"role": "roles/container.serviceAgent"
		},
		{
			"members": [
				"user:secops@trendmicro.com"
			],
			"role": "roles/editor"
		}
	],
	"etag": "abcdabcdabcd",
	"version": 1
}

05 The IAM policy returned at the previous step should include the "auditConfigs" configuration object. This object contains the configuration parameters for the data access audit logs. The following "auditConfigs" object configuration enables data access audit logging for all service APIs (i.e. all GCP services): 

{
	"auditConfigs": [
		{
			"auditLogConfigs": [
			{
				"logType": "ADMIN_READ"
			},
			{
				"logType": "DATA_READ"
			},
			{
				"logType": "DATA_WRITE"
			}
			],
			"service": "allServices"
		}
	]
}

Check the IAM policy document returned by the projects get-iam-policy command output at step no. 4 for the "auditConfigs" configuration object. If the policy does not contain the "auditConfigs" object or the object does not have the same configuration as the one listed above (i.e. the "service" attribute is not set to "allServices" for all log types), data access audit logging is not enabled for all the critical service APIs in the selected GCP project, therefore the configuration available for the audit logging feature is not compliant.

06 Repeat steps no. 3 – 5 for each project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To enable data access audit logging for all critical service APIs by updating the IAM policy associated with GCP projects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin and select Audit Logs.

04 On the Audit Logs page, perform the following actions:

  1. Select the maximum number of rows per page from the Rows per page dropdown menu available at the bottom of the page.
  2. Under Data Access audit logs configuration, select all the supported service APIs from the Service column.
  3. Choose the LOG TYPES tab from the right panel, select the Admin Read, Data Write, and Data Read checkboxes, and choose SAVE to apply the changes. This will enable data access audit logging for all Google Cloud APIs, including critical service APIs.

05 Repeat steps no. 2 – 4 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Edit the IAM policy associated with your GCP project and replace or add the "auditConfigs" object to the existing policy as configured below, then save the IAM policy document to a JSON file named enable-data-access-audit-logging.json: 

"auditConfigs": [
	{
		"auditLogConfigs": [
			{
				"logType": "ADMIN_READ"
			},
			{
				"logType": "DATA_READ"
			},
			{
				"logType": "DATA_WRITE"
			}
		],
		"service": "allServices"
	}
]

02 Run projects set-iam-policy command (Windows/macOS/Linux) using the name of the GCP project that you want to reconfigure as the identifier parameter to update the associated IAM policy in order to enable data access audit logging for all Google Cloud APIs, including critical service APIs: 

gcloud organizations set-iam-policy cc-web-app-project-112233 enable-data-access-audit-logging.json

03 The command output should return the reconfigured IAM policy document: 

Updated IAM policy for project [cc-web-app-project-112233].
	auditConfigs:
	- auditLogConfigs:
		- logType: ADMIN_READ
		- logType: DATA_READ
		- logType: DATA_WRITE
		service: allServices
	bindings:
	- members:
		- user:admin@trendmicro.com
		role: roles/editor
	- members:
		- serviceAccount:service-123456789012@container-engine-robot.iam.gserviceaccount.com
		role: roles/container.serviceAgent
	- members:
		- user:admin@cloudconformity.com
		role: roles/owner
	etag: abcdabcdabcd
	version: 1

04 Repeat steps no. 1 – 3 for each GCP project available within your Google Cloud Platform (GCP) account.

References

Publication date May 25, 2023

Related CloudLogging rules