Other Articles
- Cloud SQL – Configure Private IP
- Cloud SQL – Monitor CPU Utilization
- Cloud SQL – Enable Deletion Protection
- Cloud SQL – Enable Disk Encryption
- Cloud SQL – Enable Automated Backups
- Cloud SQL – Enable Log Export
- Cloud SQL – Enforce Password Validation
- Cloud SQL – Protect From Internet Access
- Cloud SQL – Enforce Secure Transport
- Compute Engine – Block Project-Wide SSH Keys
- Compute Engine – Disable IP Forwarding
- Compute Engine – Disable Public IP Addresses
- Compute Engine – Disable Serial Port Access
- Compute Engine – Enable Confidential Computing
- Compute Engine – Enable OS Login
- Compute Engine – Enable Shielded VM
- Compute Engine – Restrict Default Service Account
- General – Deny Public Access to KMS Keys
- General – Enforce Duties Separation
- General – Enforce KMS Key Rotation
- General – Restrict Admin Roles on Service Accounts
- Cloud Run – Configure Timeout Settings
- Cloud Storage – Enable Bucket Encryption
- Cloud Storage – Enable Bucket Versioning
- Cloud Storage – Enforce Uniform Bucket-Level Access
- Cloud Storage – Restrict Public Access
- IAM Users – Enforce GCP-Managed Keys
- IAM Users – Rotate External User-Managed Service Account Keys
Cloud Storage – Enable Bucket Logging
This check ensures that Google Cloud Storage buckets have access logging enabled to track and audit bucket activity. Access logging helps identify unauthorized access, troubleshoot issues, and maintain compliance.
Check Details
- Resource: Storage
- Check: Enable access logging for buckets
- Risk: Without access logging, bucket activity cannot be tracked or audited, increasing the risk of undetected unauthorized access.
Remediation via Google Cloud Console
-
Log in to the Google Cloud Console and navigate to
Buckets.
- Click on the name of the affected Cloud Storage bucket.
-
Go to the Edit bucket tab.
-
Locate the Logging section and click Enable.
-
Select or create a
destination bucket to store the logs.
⚠️ The destination bucket must be writable and should not have logging enabled to avoid log loops. - Click Save to apply the changes.
Remediation via Google Cloud CLI
-
Open the Google Cloud Console and launch Cloud Shell.
-
Enable access logging for the bucket:
Replacegsutil logging set on -b gs://<DESTINATION_BUCKET_NAME> gs://<SOURCE_BUCKET_NAME><SOURCE_BUCKET_NAME>with the bucket to monitor and<DESTINATION_BUCKET_NAME>with the bucket to store logs.
Default Value
By default, access logging is disabled for Google Cloud Storage buckets.