Skip to main content

πŸ“ Google Cloud Audit Logging is not configured properly 🟒

  • Contextual name: πŸ“ Cloud Audit Logging is not configured properly 🟒
  • ID: /ce/ca/google/logging/audit-logging-configuration
  • Located in: πŸ“ Google Logging

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.

Rationale​

Cloud Audit Logging maintains two audit logs for each project, folder, and organization:

Admin Activity and Data Access.

  1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. Admin Activity audit logs are enabled for all services and cannot be configured.
  2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.

There are three kinds of Data Access audit log information:

o Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
o Data read: Records operations that read user-provided data.
o Data write: Records operations that write user-provided data.

It is recommended to have an effective default audit config configured in such a way that:

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

  1. Go to Audit Logs by visiting https://console.cloud.google.com/iam-admin/audit.
  2. Follow the steps at https://cloud.google.com/logging/docs/audit/configure-data-access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Google Cloud CLI​

  1. To read the project's IAM policy and store it in a file run a command:

     gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml

    Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.

     gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml

     gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml

  2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:

    Note: Admin Activity Logs are enabled by default, and cannot be disabled. So they are not listed in these configuration changes.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project - Level 1 (Automated _ Roadmapped)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 2.1 Ensure That Cloud Audit Logging Is Configured Properly Across All Services and All Users From a Project - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 2.1 Ensure That Cloud Audit Logging Is Configured Properly - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.1 Ensure That Cloud Audit Logging Is Configured Properly - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration51
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)62129
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)25
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting (L)(M)(H)229
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.4.1 Event logging1619
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.16.1.7 Collection of evidence1
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 5.25 Assessment and decision on information security events13
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-2: Detected events are analyzed to understand attack targets and methods1924
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1938
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1942
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2127
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1924
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes1930
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties1551
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions413
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1733
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-1: Notifications from detection systems are investigated1924
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό RS.AN-3: Forensics are performed1
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-02: Potentially adverse events are analyzed to better understand associated activities30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events111
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events80
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-06: External service provider activities and services are monitored to find potentially adverse events30
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events129
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization38
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-02: Identities are proofed and bound to credentials based on the context of interactions13
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties86
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.MA-02: Incident reports are triaged and validated25
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό AC-2 ACCOUNT MANAGEMENT1325
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-6 Audit Record Review, Analysis, and Reporting10110
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation2118
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.1 Implement audit trails to link all access to system components to each individual user.45
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2 Implement automated audit trails for all system components.7725
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.1 Review security events and critical system component logs at least daily.2
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.2 Review logs of all other system components periodically based on the organization's policies and risk management strategy, as determined by the organization's annual risk assessment.4
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.6.3 Follow up exceptions and anomalies identified during the review process.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.724
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.1 The audit logs are reviewed at least once daily.12
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.1.1 Automated mechanisms are used to perform audit log reviews.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.14
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.2.1 The frequency of periodic log reviews for all other system components is defined in the entity's targeted risk analysis.2
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.4.3 Exceptions and anomalies identified during the review process are addressed.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.724
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.1 The audit logs are reviewed at least once daily.12
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.1.1 Automated mechanisms are used to perform audit log reviews.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.2 Logs of all other system components are reviewed periodically.14
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.2.1 The frequency of periodic log reviews for all other system components is defined in the entity's targeted risk analysis.2
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.4.3 Exceptions and anomalies identified during the review process are addressed.2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-1 Considers a Mix of Ongoing and Separate Evaluations2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-2 Considers Rate of Change2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-3 Establishes Baseline Understanding2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-4 Uses Knowledgeable Personnel2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-5 Integrates With Business Processes2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-6 Adjusts Scope and Frequency2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-7 Objectively Evaluates2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC4.1-8 Considers Different Types of Ongoing and Separate Evaluations2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-1 Responds to Security Incidents2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-2 Communicates and Reviews Detected Security Events2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-3 Develops and Implements Procedures to Analyze Security Incidents2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-4 Assesses the Impact on Confidential Information2
πŸ’Ό SOC 2 β†’ πŸ’Ό CC7.3-5 Determines Confidential Information Used or Disclosed2