Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Global Logging

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

To ensure centralized log management and consistent access control, the global scope should be used when deploying Cloud Logging buckets. If a log bucket is global, it means that the logs could be physically located in any of the supported regions.

Security

Using global buckets in Google Cloud Logging simplifies analysis across regions, offers scalability, and streamlines security measures. This approach optimizes resource utilization, facilitates cross-regional troubleshooting, and supports uniform log storage policies, making it an effective solution for organizations with diverse infrastructure needs.

Audit

To determine the location of your Cloud Logging buckets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Logging console at https://console.cloud.google.com/logs.

04 In the left navigation panel, under Configure, select Logs Storage to access all the log buckets created for the selected GCP project.

05 Choose the log bucket that you want to examine, excluding the _Required bucket, click on the 3-dot button to open the bucket options menu, and select View bucket details.

06 In the Log bucket details information box, check the Region attribute value to determine the location of the selected log bucket. If Region is not set to global, global logging is not available to the selected Cloud Logging bucket.

07 Repeat steps no. 5 and 6 for each log bucket that you want to examine, available for the selected project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your Google Cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
tm-project5-123123
tm-web-prod-123456

03 Run logging buckets list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the configuration information available for each log bucket available within the selected project, including the system buckets, i.e. _Default and _Required: 

gcloud logging buckets list 
  --project=tm-project5-123123

04 The command output should display the bucket information, including the bucket name and location: 

LOCATION: us-central1
BUCKET_ID: tm-project5-log-bucket
RETENTION_DAYS: 365
CMEK: 
RESTRICTED_FIELDS:
INDEX_CONFIGS:
LIFECYCLE_STATE: ACTIVE
LOCKED:
CREATE_TIME: 2024-03-18T18:37:21.808599520Z
UPDATE_TIME: 2024-03-18T18:37:21.808599520Z

LOCATION: us-central1
BUCKET_ID: tm-server-access-logs-bucket
RETENTION_DAYS: 365
CMEK:
RESTRICTED_FIELDS:
INDEX_CONFIGS:
LIFECYCLE_STATE: ACTIVE
LOCKED:
CREATE_TIME: 2024-03-18T15:51:02.046480411Z
UPDATE_TIME: 2024-03-18T17:24:17.582119597Z

LOCATION: global
BUCKET_ID: _Default
RETENTION_DAYS: 30
CMEK: 
RESTRICTED_FIELDS:
INDEX_CONFIGS:
LIFECYCLE_STATE: ACTIVE
LOCKED:
CREATE_TIME:
UPDATE_TIME:

LOCATION: global
BUCKET_ID: _Required
RETENTION_DAYS: 400
CMEK: 
RESTRICTED_FIELDS:
INDEX_CONFIGS:
LIFECYCLE_STATE: ACTIVE
LOCKED: True
CREATE_TIME:
UPDATE_TIME:

Check the LOCATION attribute value for each bucket returned by the logging buckets list command to identify the bucket location. If LOCATION is not set to global, global logging is not available to the verified Cloud Logging bucket.

05 Repeat step no. 3 and 4 for each GCP project available within your Google Cloud account.

Remediation / Resolution

Cloud Logging bucket region cannot be changed after creation. If you need to use the global location for your logs, you must create new log buckets in the "global" region and redirect the appropriate sinks to the new buckets. To re-create your Cloud Logging buckets, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Logging console at https://console.cloud.google.com/logs.

04 In the left navigation panel, under Configure, select Logs Storage.

05 Choose Create log bucket and perform the following actions:

  1. For Name, provide a unique name for your new log bucket.
  2. For Description, provide a short description for the bucket.
  3. (Optional) Select Upgrade to use Log Analytics to upgrade your bucket to use Log Analytics. If you want to use the capabilities of BigQuery to analyze your log data, select Create a new BigQuery dataset that links to this bucket and provide a name for your BigQuery dataset.
  4. Select global from the Select log bucket region dropdown list to create your log bucket in the "global" region.
  5. Choose Next to continue the setup.
  6. Configure the Retention Period for the log data stored within your bucket.
  7. Choose Create bucket to create your new Cloud Logging bucket.

06 If required, redirect the appropriate sink(s) to the new log bucket.

07 (Optional) Remove the non-compliant (original) log bucket. Choose the user-defined log bucket that you want to delete, click on the 3-dot button to open the bucket options menu, and select Delete bucket. Choose Delete to confirm the resource removal.

08 Repeat steps no. 5 - 7 for each log bucket that you want to re-create, available for the selected project.

09 Repeat steps no. 2 – 8 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run logging buckets create command (Windows/macOS/Linux) to create a new Cloud Logging bucket in the "global" region (the command does not produce an output): 

gcloud logging buckets create tm-project5-global-log-bucket
  --project=tm-project5-123123
  --description "Project5 Global Log Bucket"
  --retention-days=365
  --location=global

02 If required, redirect the appropriate sink(s) to the new log bucket.

03 (Optional) Run logging buckets delete command (Windows/macOS/Linux) to remove the non-compliant (original) log bucket: 

gcloud logging buckets delete tm-project5-log-bucket 
  --project=tm-project5-123123 
  --location=us-central1

04 Type y (yes) and press Enter for confirmation: 

Really delete bucket [tm-project5-log-bucket]? (You can undelete it within 7 days if you change your mind later)

Do you want to continue (Y/n)?  y

Deleted [tm-project5-log-bucket].

05 Repeat steps no. 1 and 2 for each log bucket that you want to re-create, available for the selected project.

06 Repeat step no. 1 – 5 for each GCP project available within your Google Cloud account.

References

Publication date Mar 26, 2024

Related CloudLogging rules