Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-gcp-compliance
Overview
14Dashboards
621Benchmarks
202Queries
2Variables
GitHub

Control: 2.2 Ensure that sinks are configured for all log entries

Description

It is recommended to create a sink that will export copies of all the log entries. This can help aggregate logs from multiple projects and export them to a Security Information and Event Management (SIEM).

Log entries are held in Cloud Logging. To aggregate logs, export them to a SIEM. To keep them longer, it is recommended to set up a log sink. Exporting involves writing a filter that selects the log entries to export, and choosing a destination in Cloud Storage, BigQuery, or Cloud Pub/Sub. The filter and destination are held in an object called a sink. To ensure all log entries are exported to sinks, ensure that there is no filter configured for a sink. Sinks can be created in projects, organizations, folders, and billing accounts.

Remediation

From Console

  1. Go to Logs Router by visiting https://console.cloud.google.com/logs/router.
  2. Click on the arrow symbol with CREATE SINK text.
  3. Fill out the fields for Sink details.
  4. Choose Cloud Logging bucket in the Select sink destination drop down menu.
  5. Choose a log bucket in the next drop down menu.
  6. If an inclusion filter is not provided for this sink, all ingested logs will be routed to the destination provided above. This may result in higher than expected resource usage.
  7. Click Create Sink.

From Command Line

  1. To create a sink to export all log entries in a Google Cloud Storage bucket:
gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME
  1. Sinks can be created for a folder or organization, which will include all projects.
gcloud logging sinks create <sink-name> storage.googleapis.com/DESTINATION_BUCKET_NAME --include-children -- folder=FOLDER_ID | --organization=ORGANIZATION_ID

Note:

  • A sink created by the command-line above will export logs in storage buckets. However, sinks can be configured to export logs into BigQuery, or Cloud Pub/Sub, or Custom Destination.
  • While creating a sink, the sink option --log-filter is not used to ensure the sink exports all log entries.
  • A sink can be created at a folder or organization level that collects the logs of all the projects underneath bypassing the option --include-children in the gcloud command.
  • By default, there are no sinks configured.

Usage

Run the control in your terminal:

powerpipe control run gcp_compliance.control.cis_v130_2_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run gcp_compliance.control.cis_v130_2_2 --share

SQL

This control uses a named query:

with project_sink_count as (
  select
    project,
    count(*) no_of_sink
  from
    gcp_logging_sink
  where
    filter = ''
    and destination != ''
  group by
    project
)
select
  'https://www.googleapis.com/logging/v2/projects/' || s.project resource,
  case
    when s.no_of_sink > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when s.no_of_sink > 0
      then 'Sinks configured for all log entries.'
    else 'Sinks not configured for all log entries.'
  end as reason
  
  , p.project_id as project
from
  gcp_project p
  left join project_sink_count s on s.project = p.project_id;

Tags

benchmark = cis
category = Compliance
cis_item_id = 2.2
cis_level = 1
cis_section_id = 2
cis_type = automated
cis_version = v1.3.0
plugin = gcp
service = GCP/Logging