A log metric filter and alert should exist for audit configuration changes

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Google Cloud Platform (GCP) services write audit log entries to the Admin Activity and Data Access logs to help answer the question of “Who did what, where, and when?” within GCP projects. Cloud audit logging records information such as the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by GCP services. Cloud audit logging provides a history of GCP API calls for an account, including API calls made through the console, SDKs, command-line tools, and other GCP services.

Rationale

Cloud audit logging to Admin Activity and Data Access logs enables security analysis, resource change tracking, and compliance auditing. Configuring the metric filter and alerts for audit configuration changes ensures that the recommended state of audit configuration is maintained so that all activities in the project can be audited at any point in time.

Impact

Enabling logging may result in your project being charged for the additional logs usage.

Remediation

From the console

Create the prescribed log metric

  1. Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click CREATE METRIC.
  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
  3. Clear any text and add:
    protoPayload.methodName="SetIamPolicy" AND
    protoPayload.serviceData.policyDelta.auditConfigDeltas:*
    
  4. Click Submit Filter. Display logs appear based on the filter text entered by the user.
  5. In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This will ensure that the log metric counts the number of log entries matching the user’s advanced logs query.
  6. Click Create Metric.

Create a prescribed alert policy

  1. Go to https://console.cloud.google.com/logs/metrics. Under the User-defined Metrics section, identify the newly created metric.
  2. Click the kebab icon in the rightmost column for the new metric and select Create alert from Metric.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
   Set `Aggregator` to `Count`
   Set `Configuration`:
   - Condition: above
   - Threshold: 0
   - For: most recent value
  1. Configure the desired notifications channels in the section Notifications.
  2. Name the policy and click Save.

From the command line

Create a prescribed log metric

Use the command: gcloud beta logging metrics create Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create

Create a prescribed alert policy

Use the command: gcloud alpha monitoring policies create Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create

References

  1. https://cloud.google.com/logging/docs/logs-based-metrics/
  2. https://cloud.google.com/monitoring/custom-metrics/
  3. https://cloud.google.com/monitoring/alerts/
  4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
  5. https://cloud.google.com/logging/docs/audit/configure-data-access#getiampolicy-setiampolicy