Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Data Access Audit Logs

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

To ensure security, compliance, and effective troubleshooting, enable Data Access audit logs for your Google Cloud Storage buckets and objects. Cloud Storage provides two main types of audit logs:

  1. Admin Activity audit logs: These logs capture operations that modify access to resources, such as restoring or managing buckets, folders, or inventory reports. Admin Activity audit logs are enabled by default and cannot be turned off.
    1. Data Access audit logs: These logs track operations not covered by Admin Activity logs. Data Access audit logs include the following sub-types:
      • ADMIN_READ: Logs operations that read access configurations or bucket metadata and list buckets.
      • DATA_READ: Logs operations that read or list Cloud Storage resources other than buckets.
      • DATA_WRITE: Logs operations that create, modify, or delete objects, manage XML API multipart uploads, or rename folders.
Unlike Admin Activity logs, Data Access audit logs are disabled by default and must be explicitly enabled.
Security
Reliability
Cost
optimisation
Performance
efficiency
Operational
excellence

Enabling Data Access audit logs for Google Cloud Storage buckets is crucial for ensuring compliance, strengthening security, promoting accountability, and streamlining troubleshooting efforts. By actively monitoring and analyzing activity within your storage buckets, you can gain valuable insights that enable swift detection and response to potential security threats. In Google Cloud Platform (GCP), Data Access audit logs capture API calls that access resource configurations or metadata, along with user-initiated API calls that create, modify, or read data provided by users.

Audit

To determine if Data Access audit logs are enabled for your Google Cloud Storage buckets and objects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Google Cloud Storage, and press Enter.

06 Select the Google Cloud Storage service to show the info panel for the selected GCP service.

07 Choose the PERMISSION TYPES tab and check the log types configured for Google Cloud Storage to determine what types of operations are recorded in your Data Access audit logs for the selected service. If Admin Read, Data Write, and Data Read log types are not enabled (i.e., the log type checkboxes are not selected), Data Access audit logs are disabled for your Google Cloud Storage buckets and objects.

08 Repeat steps no. 2 – 7 for each project available in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom output filters to list the ID of each project available in your Google Cloud Platform (GCP) account: 

gcloud projects list
	--format="value(projectId)"

02 The command output should return the requested GCP project identifiers (IDs): 

cc-project5-123123
cc-ai-project-123123

03 Run projects get-iam-policy command (Windows/macOS/Linux) with the ID of the GCP project that you want to examine as the identifier parameter and custom output filters to describe the IAM policy created for the selected project. The project's IAM policy includes includes the auditConfigs configuration object, which contains the configuration parameters for Data Access audit logs. 

gcloud projects get-iam-policy cc-project5-123123
	--format="yaml(auditConfigs)"

04 The command output should return the IAM policy defined for the GCP project (including the auditConfigs object): 

auditConfigs:
- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: compute.googleapis.com

- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: pubsub.googleapis.com

If the projects get-iam-policy command output returns null, Data Access audit logs are not enabled for the Google Cloud services and APIs supported within the selected GCP project. If the command output returns the auditConfigs configuration object, as shown in the example above, audit logs are enabled for certain services and APIs. If ADMIN_READ, DATA_READ, and DATA_WRITE log types are not listed for service: storage.googleapis.com, Data Access audit logs are disabled for your Google Cloud Storage buckets and objects.

05 Repeat steps no. 3 and 4 for each project deployed within your Google Cloud Platform (GCP) account.

Remediation / Resolution

To enable Data Access audit logs for your Google Cloud Storage buckets and objects, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to IAM & Admin console available at https://console.cloud.google.com/iam-admin.

04 In the left navigation panel, select Audit Logs to access the audit logs configuration available for the supported Google Cloud services.

05 In the Data access audit logs configuration section, click inside the Filter box, select Service, type Google Cloud Storage, and press Enter.

06 Select the Google Cloud Storage service to display the info panel for the selected GCP service.

07 Choose the PERMISSION TYPES tab, check the Admin Read, Data Write, and Data Read checkboxes, and choose SAVE to apply the changes. This will enable Data Access audit logs for all storage buckets and objects within the selected GCP project.

08 Repeat steps no. 2 – 7 for each GCP project deployed in your Google Cloud Platform (GCP) account.

Using GCP CLI

01 Edit the IAM policy associated with your GCP project and add the "auditConfigs" object to the existing policy as configured below. If audit logs are already enabled for other GCP services, just add the "auditLogConfigs" object to the existing "auditConfigs". Save the IAM policy document to a JSON file named cc-enable-data-access-audit-logs.json: 

"auditConfigs": [
	{
		"auditLogConfigs": [
			{
				"logType": "ADMIN_READ"
			},
			{
				"logType": "DATA_READ"
			},
			{
				"logType": "DATA_WRITE"
			}
		],
		"service": "storage.googleapis.com"
	}
]

02 Run projects set-iam-policy command (Windows/macOS/Linux) with the name of the GCP project that you want to configure as the identifier parameter, to update the associated IAM policy in order to enable Data Access audit logs for all storage buckets and objects in the selected GCP project: 

gcloud projects set-iam-policy cc-project5-123123 cc-enable-data-access-audit-logs.json

03 The command output should return the modified IAM policy document: 

Updated IAM policy for project [cc-project5-123123].
auditConfigs:
- auditLogConfigs:
	- logType: ADMIN_READ
	- logType: DATA_READ
	- logType: DATA_WRITE
	service: storage.googleapis.com
bindings:
- members:
	- user:user@domain.com
	role: roles/editor
- members:
	- serviceAccount:service-123456789012@container-engine-robot.iam.gserviceaccount.com
	role: roles/container.serviceAgent
etag: abcdabcdabcd
version: 1

04 Repeat steps no. 1 – 3 for each GCP project available within your Google Cloud Platform (GCP) account.

References

Publication date Dec 17, 2024

Related CloudStorage rules