Control: 2.16 Ensure Logging is enabled for HTTP(S) Load Balancer

Description

Logging enabled on a HTTPS Load Balancer will show all network traffic and its destination.

Logging will allow you to view HTTPS network traffic to your web applications.

Remediation

From Console

From Google Cloud home open the Navigation Menu in the top left.
Under the Networking heading select Network services.
Select the HTTPS load-balancer you wish to audit.
Select Edit then Backend Configuration.
Select Edit on the corresponding backend service.
Click Enable Logging.
Set Sample Rate to a desired value. This is a percentage as a decimal point. 1.0 is 100%.

From Command Line

Run the following command

gcloud compute backend-services update <serviceName> --region=REGION --enable-logging --logging-sample-rate=<percentageAsADecimal>

Default Value

By default logging for https load balancing is disabled. When logging is enabled it sets the default sample rate as 1.0 or 100%. Ensure this value fits the need of your organization to avoid high storage costs.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v200_2_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v200_2_16 --share

SQL

This control uses a named query:

select
  m.self_link as resource,
  case
    when s.self_link is null then 'skip'
    when s.log_config_enable then 'ok'
    else 'alarm'
  end as status,
  case
    when s.self_link is null then m.name || ' uses backend bucket.'
    when s.log_config_enable then m.name || ' logging enabled.'
    else m.name || ' logging disabled.'
  end as reason
  , m.location as location, m.project as project
from
  gcp_compute_url_map as m
  left join gcp_compute_backend_service as s on s.self_link = m.default_service;