Configure Google Cloud Audit Logs to Track All Activities

Risk Level: Medium (should be achieved)

Rule ID: CloudIAM-009

Ensure that Google Cloud Audit Logs feature is configured to track Admin Activity logs and Data Access audit logs for all Google Cloud Platform (GCP) services and users in order to enhance overall access security and meet compliance requirements. Once configured, the feature can record all admin related activities, as well as all the read and write access requests to user data.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

Cloud Audit Logs, a feature of Google Cloud Logging service, maintains two types of audit logs for each GCP project, folder, and organization: Admin Activity logs and Data Access audit logs. Admin Activity logs contain log entries for API calls or administrative actions that modify the configuration or metadata of Google Cloud Platform (GCP) resources. Admin Activity logs are enabled for all GCP services by default and their configuration cannot be modified. Data Access audit logs contain API calls that read the configuration or metadata of GCP resources, as well as user-driven API calls that read, modify, or create user-provided resource data. There are 3 kinds of Data Access audit log information:

- ADMIN_READ - records operations that read configuration or metadata information.
- DATA_READ - records operations that read user-provided data.
- DATA_WRITE - records operations that write user-provided data.

In order to maintain an effective Google Cloud audit configuration for your project, folder, and organization, all 3 types of Data Access audit logs (ADMIN_READ, DATA_READ and DATA_WRITE) must be enabled for all supported GCP services. Also, these logs should be captured for all IAM users, without exempting any of them. Exemptions let you control which users generate audit logs. When you add an exempted user to your log configuration, audit logs are not created for that user, for the selected log type(s). Data Access audit logs are disabled by default and must be explicitly enabled based on your business requirements.

Audit

To determine the Audit Logs configuration for your GCP projects, folders, and organizations, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the GCP organization, folder, or project that you want to examine.

03 Navigate to IAM and Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select Audit Logs.

05 On the Audit Logs page, perform the following actions:

To check the log configuration for all the supported Google Cloud services, select the maximum number of rows per page from the Rows per page dropdown menu available at the bottom of the page, then check the log types, i.e. Admin Read, Data Read, and Data Write columns and the exempted users listed in the Exempted principals column, assigned to each supported GCP service. (Optional) You can also use the Filter box at the top of the page to identify the titles of the Audit Logs that you are interested in. If the Admin Read, Data Read, and Data Write log types are not enabled for all the GCP services listed on the page or there are one or more services with exemptions allowed, the Data Access audit logs are not enabled for all the supported GCP services and users, therefore the configuration of the Audit Logs feature, available for the selected GCP organization/folder/project, is not compliant.
To verify the default audit configuration for all the supported GCP services, check the Default configuration section. If the configuration status for the Admin Read, Data Read, and Data Write is not set to Enabled, and there are one or more exempted principals, the Data Access audit logs are not enabled for all the supported GCP services and users, therefore the default configuration of the Audit Logs feature, available for the selected GCP organization/folder/project, is not compliant.

06 Repeat steps no. 2 – 5 for each project and folder available within the selected GCP organization, including the organization itself.

07 Repeat steps no. 1 – 6 for each Google Cloud Platform (GCP) organization deployed within your account.

Using GCP CLI

01 To check your GCP organizations IAM policy for Data Access audit audit logs status and configuration, perform the following actions:

Run organizations list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the organizations created within your GCP account:
```
gcloud organizations list
  --format="table(name)"
```
The command output should return the requested organization identifiers:
```
ID
123412341234
111122223333
112233441122
```
Run organizations get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization that you want to examine as the identifier parameter and custom query filters to describe the Access Management (IAM) policy assigned to the selected organization, in JSON format:
```
gcloud organizations get-iam-policy 123412341234
  --format=json
```

The command output should return the organization's IAM policy:

{
    "bindings": [
        {
            "members": [
                "domain:trendmicro.com"
            ],
            "role": "roles/billing.creator"
        },
        {
            "members": [
                "user:cloudadmin@trendmicro.com"
            ],
            "role": "roles/resourcemanager.organizationAdmin"
        },
        {
            "members": [
                "domain:trendmicro.com"
            ],
            "role": "roles/resourcemanager.projectCreator"
        },
        {
            "members": [
                "user:conformity@trendmicro.com"
            ],
            "role": "roles/owner"
        }
    ],
    "etag": "abcdabcdabcd",
    "version": 1
}

The IAM policy returned by the organizations get-iam-policy command output at the previous step should include the "auditConfigs" configuration object. This object contains the configuration parameters for the Data Access audit logs. If "logType" is set to "DATA_READ" and "DATA_WRITE", the log configuration is compliant. The following "auditConfigs" object configuration enables Data Access audit logs for all the supported services and users (no user exemptions):
```
"auditConfigs": [
    {
        "auditLogConfigs": [
            {
                "logType": "ADMIN_READ"
            },
            {
                "logType": "DATA_READ"
            },
            {
                "logType": "DATA_WRITE"
            }
        ],
        "service": "allServices"
    }
]
```
Check the IAM policy document returned at step iv. for the "auditConfigs" configuration object. If the policy does not contain the "auditConfigs" object or the object does not have the exact same configuration as the one listed above, the Data Access audit logs are not enabled for all the supported GCP services and users, therefore the Audit Logs feature configuration for the selected GCP organization is not compliant.
Repeat steps iii – v for each Google Cloud Platform (GCP) organization deployed within your account.

02 To check your GCP projects IAM policy for Data Access audit logs configuration, perform the following operations:

Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the projects available in your GCP account:
```
gcloud projects list
  --format="table(projectId)"
```
The command output should return the requested project IDs:
```
PROJECT_ID
cc-frontend-app-112233
cc-internal-app-112233
```
Run projects get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to describe the IAM policy created for the selected GCP project:
```
gcloud projects get-iam-policy cc-frontend-app-112233 
  --format=json
```

The command output should return the requested IAM policy:

{
    "bindings": [
        {
            "members": [
                "user:admin@trendmicro.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "serviceAccount:service-123456789012@container-engine-robot.iam.gserviceaccount.com"
            ],
            "role": "roles/container.serviceAgent"
        },
        {
            "members": [
                "user:secops@trendmicro.com"
            ],
            "role": "roles/editor"
        }
    ],
    "etag": "abcdabcdabcd",
    "version": 1
}

The IAM policy returned by the projects get-iam-policy command output should include the "auditConfigs" configuration object. This object contains the configuration parameters for the Data Access audit logs. If "logType" is set to "DATA_READ" and "DATA_WRITE", the log configuration is compliant. The following "auditConfigs" object configuration enables Data Access logging for all the supported services and users:
```
"auditConfigs": [
    {
    "auditLogConfigs": [
        {
            "logType": "ADMIN_READ"
        },
        {
            "logType": "DATA_READ"
        },
        {
            "logType": "DATA_WRITE"
        }
    ],
    "service": "allServices"
    }
]
```
Check the IAM policy document returned at step iv. for the "auditConfigs" configuration object. If the policy does not contain the "auditConfigs" object or the object does not have the same configuration as the one listed above, the Data Access audit logs are not enabled for all the supported services and users, therefore the Audit Logs configuration for the selected GCP project is not compliant.
Repeat step iii – v for each Google Cloud Platform (GCP) project created within your account.

03 To check the IAM policy associated with your GCP organization folders for Data Access audit logs configuration, perform the following actions:

Run resource-manager folders list command (Windows/macOS/Linux) using the ID of the organization that you want to examine as identifier parameter and custom query filters to list the IDs of all folders available in the selected GCP organization:
```
gcloud resource-manager folders list
  --organization 123412341234
  --format="table(name)"
```
The command output should return the requested organization folders IDs:
```
ID
123456789012
123412341234
111122223333
```
Run resource-manager folders get-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization folder that you want to examine as the identifier parameter and custom query filters to describe the IAM policy defined for the selected folder:
```
gcloud resource-manager folders get-iam-policy 123456789012
  --format=json
```

The command output should return the requested IAM policy:

{
    "bindings": [
        {
            "members": [
                "user:cloudadmin@trendmicro.com"
            ],
            "role": "roles/owner"
        },
        {
            "members": [
                "user:admin@trendmicro.com"
            ],
            "role": "roles/resourcemanager.folderAdmin"
        },
        {
            "members": [
                "user:conformity@trendmicro.com"
            ],
            "role": "roles/resourcemanager.folderEditor"
        }
    ],
    "etag": "aaaabbbbcccc",
    "version": 1
}

The IAM policy returned by the resource-manager folders get-iam-policy command output should include the "auditConfigs" configuration object. This object contains the configuration parameters for the Data Access audit logs. If "logType" is set to "DATA_READ" and "DATA_WRITE", the log configuration is compliant. The following "auditConfigs" object configuration enables Data Access audit logs for all supported services and users:
```
"auditConfigs": [
    {
        "auditLogConfigs": [
            {
                "logType": "ADMIN_READ"
            },
            {
                "logType": "DATA_READ"
            },
            {
                "logType": "DATA_WRITE"
            }
        ],
        "service": "allServices"
    }
]
```
Check the IAM policy document returned at step iv. for the "auditConfigs" configuration object. If the policy does not contain the "auditConfigs" object or the object does not have the same configuration as the one listed above, the Data Access audit logs are not enabled for all the supported GCP services and available users, therefore the Audit Logs feature configuration for the selected GCP organization folder is not compliant.
Repeat step iii – v for each Google Cloud Platform (GCP) folder created within the selected organization.

Remediation / Resolution

To configure the Audit Logs feature to track all Google Cloud service and user activities by updating the IAM policy associated with GCP projects, folders, and organizations, perform the following operations:

Using GCP Console

01 Sign in to the Google Cloud Management Console with the organizational unit credentials.

02 Click on the deployment selector from the top navigation bar, select ALL to list all the existing deployments, then choose the GCP organization that you want to access.

03 Navigate to IAM and Admin console available at https://console.cloud.google.com/iam-admin/iam.

04 In the main navigation panel, select Audit Logs.

05 On the Audit Logs page, choose SET DEFAULT CONFIGURATION from the console top menu and perform the following actions:

Choose the LOG TYPES tab and select the Admin Read, Data Read, and Data Write checkboxes to enable audit logging for all the supported Google Cloud Platform (GCP) services. Because the feature is enabled at the organization level, the configuration (i.e. default configuration) is inherited to all projects and folders within that organization. Choose SAVE to apply the changes.
Select the EXEMPTED PRINCIPALS tab, then click on the Delete icon next to each exempted principal to remove the user from the Exempted principals list. Choose SAVE to apply the configuration changes.

06 Repeat steps no. 2 – 5 for each Google Cloud Platform (GCP) organization deployed within your account.

Using GCP CLI

01 Edit the IAM policy associated with your GCP organization/folder/project (see Audit section part II to identify the right policy returned by the get-iam-policy command) and replace or add the "auditConfigs" object to the existing policy as configured below, then save the IAM policy to a JSON document named enable-audit-logging-policy.json:

"auditConfigs": [
    {
        "auditLogConfigs": [
            {
                "logType": "ADMIN_READ"
            },
            {
                "logType": "DATA_READ"
            },
            {
                "logType": "DATA_WRITE"
            }
        ],
        "service": "allServices"
    }
]

02 To enable Data Access audit logs for all the supported GCP services and IAM users within your Google Cloud organization, perform the following operations:

Run organizations set-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization that you want to configure as the identifier parameter, to update the associated IAM policy with the policy defined at step no. 1 (i.e. enable-audit-logging-policy.json):
```
gcloud organizations set-iam-policy 123412341234 enable-audit-logging-policy.json
```

The command output should return the reconfigured IAM policy (in YAML format) for the selected GCP organization:

Updated IAM policy for organization [123412341234].
auditConfigs:
- auditLogConfigs:
    - logType: ADMIN_READ
    - logType: DATA_READ
    - logType: DATA_WRITE
    service: allServices
bindings:
- members:
    - domain:trendmicro.com
    role: roles/billing.creator
- members:
    - user:cloudadmin@trendmicro.com
    role: roles/orgpolicy.policyAdmin
- members:
    - user:conformity@trendmicro.com
    role: roles/owner
- members:
    - domain:trendmicro.com
    role: roles/resourcemanager.projectCreator
etag: abcdabcdabcd
version: 1

If required, repeat step i. and ii. for other Google Cloud Platform (GCP) organizations available in your account.

03 To enable Data Access audit logs for all the supported Google Cloud services and users within your GCP project, perform the following actions:

Run projects set-iam-policy command (Windows/macOS/Linux) using the name of the GCP project that you want to reconfigure as the identifier parameter to update the associated IAM policy with the policy reconfigured at step no. 1:
```
gcloud organizations set-iam-policy cc-frontend-app-112233 enable-audit-logging-policy.json
```

The command output should return the reconfigured project IAM policy:

Updated IAM policy for project [cc-frontend-app-112233].
auditConfigs:
- auditLogConfigs:
    - logType: ADMIN_READ
    - logType: DATA_READ
    - logType: DATA_WRITE
    service: allServices
bindings:
- members:
    - user:cloudadmin@trendmicro.com
    role: roles/editor
- members:
    - user:conformity@trendmicro.co
    role: roles/owner
etag: abcdabcdabcd
version: 1

If required, repeat step i. and ii. for other Google Cloud Platform (GCP) projects created within your account.

04 To enable Data Access audit logs for all the supported Google Cloud services and users within your GCP organization folder, perform the following commands:

Run resource-manager folders set-iam-policy command (Windows/macOS/Linux) using the ID of the GCP organization folder that you want to reconfigure as the identifier parameter to update the associated IAM policy with the policy reconfigured at step no. 1 (i.e. enable-audit-logging-policy.json):
```
gcloud resource-manager folders set-iam-policy 123456789012 enable-audit-logging-policy.json
```

The command output should return the IAM policy reconfigured for the selected GCP organization folder:

Updated IAM policy for folder [123456789012].
auditConfigs:
- auditLogConfigs:
    - logType: ADMIN_READ
    - logType: DATA_READ
    - logType: DATA_WRITE
    service: allServices
bindings:
- members:
    - user:cloudadmin@trendmicro.com
    role: roles/resourcemanager.folderAdmin
- members:
    - user:conformity@trendmicro.com
    role: roles/resourcemanager.folderEditor
- members:
    - user:secops@trendmicro.com
    role: roles/owner
etag: aaaabbbbcccc
version: 1

If required, repeat step i. and ii. for other Google Cloud Platform (GCP) folders available within the selected organization.

References

Google Cloud Platform (GCP) Documentation
Cloud Audit Logs overview
Understanding audit logs
Enable Data Access audit logs

CIS Security Documentation
Google Cloud Computing Platform

GCP Command Line Interface (CLI) Documentation
gcloud organizations list
gcloud organizations get-iam-policy
gcloud projects list
gcloud projects get-iam-policy
gcloud alpha resource-manager folders list
gcloud alpha resource-manager folders get-iam-policy
gcloud organizations set-iam-policy
gcloud projects set-iam-policy
gcloud resource-manager folders set-iam-policy

Publication date Oct 30, 2021

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

Configure Google Cloud Audit Logs to Track All Activities

Risk Level: Medium

Audit

Using GCP Console

Using GCP CLI

Remediation / Resolution

Using GCP Console

Using GCP CLI

References

Related CloudIAM rules