Skip to content

Logging

Architecture

For an overview of how to design a state of the art multi-account security logging platform in GCP:

Code Samples

Link Notes
Google Community Security Analytics (CSA)
  • Pre-built queries and rules to start analyzing Google Cloud logs (Cloud Audit logs, VPC Flow logs, DNS logs, etc.)
  • 6 categories:
    • 🚦 Login & Access Patterns
    • 🔑 IAM, Keys & Secrets Admin Activity
    • 🏗️ Cloud Provisoning Activity
    • ☁️ Cloud Workload Usage
    • 💧 Data Usage
    • ⚡ Network Activity

References

Link Notes
Logging in the Cloud: From Zero to (Incident Response) Hero
  • Annotated slides of a talk which tries to answer questions like "What Should I Be Logging?", "How Specifically Should I Configure it?", and "What Should I Be Monitoring?"
  • Especially interesting since it doesn't cover only AWS, but also GCP and Azure
Best practices for monitoring GCP audit logs Nice primer on GCP audit logs, which covers the structure of GCP audit logs, best practices for using audit logs to monitor GCP security, and how how to export audit logs from GCP.
Auto-launching Packet Mirroring for application monitoring How to use Cloud Logging, Pub/Sub, and Cloud Functions to auto-enable Packet Mirroring to monitor and troubleshoot traffic flows in VPCs
Logs-based Security Alerting in Google Cloud: Detecting attacks in Cloud Identity A primer on Cloud Identity logs
Export Google Cloud security data to your SIEM system How to deploy a unified export pipeline that uses Cloud Pub/Sub and Dataflow to aggregate and stream logs from Cloud Logging, security findings from Security Command Center, and asset changes from Cloud Asset Inventory
Auditing GKE operations? Configure Data Access audit logs
  • The GKE Admin Activity logs are missing get operations on Secret objects by default
  • So for example, if you store a service account password in your cluster as a Kubernetes secret, a kubectl get secret service_account_password -o yaml will get an attacker the entire secret without logging a single line into the audit logs.