Google Cloud — Logging and Security
Within Google Cloud, security teams can improve security by monitoring and analyzing logs. However, what logs and what security tools should security teams focus on? The goal of this blog post is to explain Google Cloud’s logging architecture, define different types of logs, and present options on how to analyze logs. In other words, “How are logs and security related in Google Cloud?” and “How do we use logs to improve security in Google Cloud?”.
Google Cloud Logging Architecture
Logging in Google Cloud is similar to networking. When logs are created, a Cloud Router routes the logs to a destination log bucket similar to how a network router routes packets to a destination network. A log sink within the router filters and determines the destination of the logs similar to how access control lists (ACLs) and routing tables filter and determine the destination of packets.
Google Cloud Security Logs
There are different types of log categories including security logs that help answer “who did what, where, and when”. Specifically, these security logs are the Cloud Audit Logs and Access Transparency Logs.
Cloud Audit Logs provide the following audit logs:
- Admin Activity — contains logs for actions that modify resources. These logs are always written.
- Data Access — contains logs that create, modify, or read data. These logs are disabled by default and must be enabled explicitly because they can be quite large.
- System Event — contains logs for Google Cloud actions that modify resources. These logs are always written.
- Policy Denied — contains logs when a user or service account is denied access because of a security violation policy. These logs are enabled by default but can be filtered using exclusion filters.
Access Transparency Logs record actions of Google personnel during support requests.
Google Cloud Log Buckets
By default, two log buckets are created in Google Cloud: _Required and _Default. The _Required log bucket cannot be modified or deleted while the _Default bucket can be disabled but not deleted. The Cloud Audit and Transparency Logs are routed as follows:
_Required Log Bucket:
- Admin Activity
- System Event
- Access Transparency Logs
_Default Log Bucket:
- Data Access
- Policy Denied
Google Cloud Security Analysis
Once the logs are in their respective log bucket, there are multiple ways to view, query, and analyze them.
- Uses Logging Query Language
- The original logging tool
- Google provides sample queries
- Powered by BigQuery and uses SQL
- No additional costs from Logs Explorer
- Requires upgrading logs buckets to use Log Analytics
- Google provides sample queries for security insights
- Option to use a visualization tool such as Looker for better insights
- Community-supported queries are available on GitHub
Security Command Center Premium — Event Threat Detection:
- Monitors the logging stream and identifies threats in near-real time
- Applies detection logic and proprietary threat intelligence
- Regularly updated with new detectors to identify emerging threats
- Requires Security Command Center Premium (SCCP)
- Information is automatically visualized in SCCP for easier investigation
Summary
Users can leverage Google Cloud’s logging capabilities to collect and analyze security logs. Logs are categorized and routed to specific buckets based on their type. Once logs are collected, teams can use various tools to analyze them, including the Logs Explorer, Log Analytics, and Security Command Center Premium. These tools provide different ways to query and visualize logs allowing teams to identify threats and investigate security incidents more efficiently.
Additional Resources
https://cloud.google.com/architecture/security-foundations/logging-monitoring
https://cloud.google.com/blog/products/data-analytics/top-10-reasons-to-get-started-with-log-analytics-powered-by-bq
https://www.cloudskillsboost.google/course_templates/99/preview
https://www.cloudskillsboost.google/focuses/10911?parent=catalog
https://www.cloudskillsboost.google/focuses/49749?parent=catalog
https://www.youtube.com/watch?v=iR8GjOwTOrQ
https://www.youtube.com/watch?v=dLOyUy1BlIs&list=PLIivdWyY5sqLO-4ePY-A2yROgONOA6Cz4&index=10
https://www.youtube.com/watch?v=SaLHDNqrZ80&list=PLIivdWyY5sqLO-4ePY-A2yROgONOA6Cz4&index=11
https://www.youtube.com/watch?v=hh_z8qEwGfQ