Google CloudOverview
Storage Access Logging generates a log that contains access records for each request made to the Storage bucket. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. Cloud Storage offers access logs and storage logs in the form of CSV files that can be downloaded and used for analysis/incident response. Access logs provide information for all of the requests made on a specified bucket and are created hourly, while the daily storage logs provide information about the storage consumption of that bucket for the last day. The access logs and storage logs are automatically created as new objects in a bucket that you specify. An access log record contains details about the request, such as the request type, the resources specified in the request worked, and the time and date the request was processed. While storage Logs helps to keep track the amount of data stored in the bucket. It is recommended that storage Access Logs and Storage logs are enabled for every Storage Bucket.
Rationale
By enabling access and storage logs on target Storage buckets, it is possible to capture all events which may affect objects within target buckets. Configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.
In most cases, Cloud Audit Logging is the recommended method for generating logs that track API operations performed in Cloud Storage:
- Cloud Audit Logging tracks access on a continuous basis.
- Cloud Audit Logging produces logs that are easier to work with.
- Cloud Audit Logging can monitor many of your Google Cloud Platform services, not just Cloud Storage.
In some cases, you may want to use access & storage logs instead.
You most likely want to use access logs if:
- You want to track access for public objects.
- You use Access Control Lists (ACLs) to control access to your objects.
- You want to track changes made by the Object Lifecycle Management feature.
- You want your logs to include latency information, or the request and response size of individual HTTP requests.
You most likely want to use storage logs if:
- You want to track the amount of data stored in your buckets.
Remediation guidance
Using Gsutils
To set Storage Access Logs and Storage logs for a bucket run:
gsutil logging set on -b gs://<bucketName for a bucket used to store logs> gs://<your bucket name>
Default Value
By Default, Access logs and storage logs are not enabled for storage buckets.
References
- https://cloud.google.com/storage/docs/access-logs
Google Cloud Console (Asset-Level)
- Open the affected project/resource from the finding details in Google Cloud Console.
- Navigate to the resource security/configuration settings.
- Apply the control-specific secure configuration.
- Save and re-run the check.
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Logging is enabled for Cloud Storage buckets
Connectors
Covered asset types
Expected check: eq []
buckets(where:{loggingLogBucket_NOT:""}){...AssetFragment}
