📝 Google Cloud Audit Logging is not configured properly 🟢

• Contextual name: 📝 Cloud Audit Logging is not configured properly 🟢
• ID: /ce/ca/google/logging/audit-logging-configuration
• Located in: 📁 Google Logging

Flags

• 🟢 Policy with categories
• 🟢 Policy with type
• 🟢 Production policy

Our Metadata

• Policy Type: COMPLIANCE_POLICY
• Policy Category:
  • SECURITY

Similar Policies

• Cloud Conformity
  • Configure Google Cloud Audit Logs to Track All Activities

Logic

• 🧠 prod.logic.yaml 🟢
  • 📕 Google Project
  • 🔌 Google IAM Policy Audit Config - object.extracts.yaml
  • 🔌 Google IAM Policy Audit Log Config - object.extracts.yaml
  • 🔌 Google Project - object.extracts.yaml
  • 🧪 test-data.json

Description

Open File

Description

It is recommended that Cloud Audit Logging is configured to track all admin activities and read, write access to user data.

Rationale

Cloud Audit Logging maintains two audit logs for each project, folder, and organization:

Admin Activity and Data Access.

1. Admin Activity logs contain log entries for API calls or other administrative actions that modify the configuration or metadata of resources. Admin Activity audit logs are enabled for all services and cannot be configured.
2. Data Access audit logs record API calls that create, modify, or read user-provided data. These are disabled by default and should be enabled.

There are three kinds of Data Access audit log information:

o Admin read: Records operations that read metadata or configuration information. Admin Activity audit logs record writes of metadata and configuration information that cannot be disabled.
o Data read: Records operations that read user-provided data.
o Data write: Records operations that write user-provided data.

It is recommended to have an effective default audit config configured in such a way that:

... see more

Remediation

Open File

Remediation

From Google Cloud Console

1. Go to Audit Logs by visiting https://console.cloud.google.com/iam-admin/audit.
2. Follow the steps at https://cloud.google.com/logging/docs/audit/configure-data-access to enable audit logs for all Google Cloud services. Ensure that no exemptions are allowed.

From Google Cloud CLI

1. To read the project's IAM policy and store it in a file run a command:

    gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml

   Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.

    gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
   
    gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml

2. Edit policy in /tmp/policy.yaml, adding or changing only the audit logs configuration to:

   Note: Admin Activity Logs are enabled by default, and cannot be disabled. So they are not listed in these configuration changes.

... see more

policy.yaml

Open File

Linked Framework Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CIS GCP v3.0.0 → 💼 2.1 Ensure That Cloud Audit Logging Is Configured Properly - Level 1 (Automated)			1
💼 Cloudaware Framework → 💼 Logging and Monitoring Configuration			49