Best practice rules for GCP Cloud Logging
- Check for Sufficient Log Data Retention Period
Ensure that the retention period configured for your logging buckets is 365 days or greater.
- Configure Retention Policies with Bucket Lock
Ensure that the log bucket retention policies are using the Bucket Lock feature.
- Enable Global Logging
Ensure that the location of your Cloud Logging buckets is global.
- Enable Logs Router Encryption with Customer-Managed Keys
Ensure that Google Cloud Logs Router data is encrypted using Customer-Managed Keys (CMKs).
- Enable Monitoring for Audit Configuration Changes
Ensure that GCP project audit configuration changes are being monitored using alerting policies.
- Enable Monitoring for Bucket Permission Changes
Ensure that Cloud Storage bucket permission changes are being monitored using alerting policies.
- Enable Monitoring for Custom Role Changes
Ensure that custom IAM role changes are being monitored using alerting policies.
- Enable Monitoring for Firewall Rule Changes
Ensure that VPC network firewall rule changes are being monitored using alerting policies.
- Enable Monitoring for SQL Instance Configuration Changes
Ensure that SQL instance configuration changes are being monitored using alerting policies.
- Enable Project Ownership Assignments Monitoring
Ensure that GCP project ownership changes are being monitored using alerting policies.
- Enable VPC Network Changes Monitoring
Ensure that Google Cloud VPC network changes are being monitored using log metrics and alerting policies.
- Enable VPC Network Route Changes Monitoring
Ensure that VPC network route changes are being monitored using alerting policies.
- Enable data access audit logging for all critical service APIs
Ensure that data access audit logs are enabled for all critical service APIs within your GCP project.
- Export All Log Entries Using Sinks
Ensure that all the log entries generated for your Google Cloud projects are exported using sinks.