Profile Applicability:

Level 1

Description:

It is recommended to configure Cloud Audit Logging to monitor administrative actions and access to user data. Proper configuration includes enabling audit logs for Admin Activity, Data Read, and Data Write for all services and ensuring no exemptions for any users.

Rationale:

Google Cloud provides two types of audit logs:

  1. Admin Activity Logs: Tracks administrative changes to configuration or metadata (enabled by default).

  2. Data Access Logs: Tracks API calls that read, write, or modify user data (disabled by default).

Enabling both types ensures:

  • Visibility into administrative activities.

  • Monitoring of data access for compliance and security.

  • Detailed tracking of all user interactions.

Impact:

  • Cost: Admin Activity logs are free. Data Access logs may incur additional charges depending on log volume and storage.

Default Value:

  • Admin Activity Logs: Enabled by default.

  • Data Access Logs: Disabled by default.

Audit Steps:

Using Google Cloud Console:

  1. Navigate to Audit Logs: Audit Logs Console.

                     

  1. Confirm that Admin Read, Data Write, and Data Read logs are enabled for all services.

                       

  1. Ensure that no users are exempted from logging.

Using Google Cloud CLI:

List the IAM policies for a project, folder, or organization:

gcloud organizations get-iam-policy ORGANIZATION_ID
gcloud resource-manager folders get-iam-policy FOLDER_ID
gcloud projects get-iam-policy PROJECT_ID

Verify that the auditConfigs section includes the following:
auditConfigs:

- auditLogConfigs:
  - logType: ADMIN_READ
  - logType: DATA_WRITE
  - logType: DATA_READ
  service: allServices
  1. Ensure no exemptedMembers are listed in any auditConfigs sections.

Remediation Steps:

Using Google Cloud Console:

  1. Navigate to Audit Logs: Audit Logs Console.

  2. Follow the Data Access Logging Configuration Guide to enable logs for all services.

  3. Ensure no exemptions are configured.

Using Google Cloud CLI:

Export the current IAM policy to a file:

gcloud projects get-iam-policy <PROJECT_ID > /tmp/project_policy.yaml

For folders or organizations:

gcloud organizations get-iam-policy <ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy <FOLDER_ID > /tmp/folder_policy.yaml

Edit the policy file to include:

auditConfigs:
- auditLogConfigs:
  - logType: DATA_WRITE
  - logType: DATA_READ
  service: allServices
  1. Ensure no exemptedMembers are listed.

Update the policy:

gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml
gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml

Backout Plan:

1. Restore Previous IAM Policy (If Needed)

If the audit logging configuration breaks workflows, restore the previous IAM policy:

gcloud projects set-iam-policy <PROJECT_ID> policy-backup.json

2. Adjust Logging Settings Based on Usage

  • Enable only necessary logs to balance cost vs. security.

References:

  1. Cloud Audit Logging Overview

  2. Configuring Data Access Logs

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Ensure audit logs are collected across all enterprise systems for monitoring.

8.11 Conduct Audit Log Reviews

Regularly review audit logs to detect anomalies and potential threats.

6.2 Activate Audit Logging

Enable logging on all systems and networking devices.