Secure Deployment & Hardening of Google Cloud Platform (GCP) Projects — Part III

Aligned with CIS Google Cloud Platform Benchmark

CIS Section 2 — Logging and Monitoring

Logging and monitoring form the detection, accountability and forensic backbone of any secure GCP deployment.

Without comprehensive logging:

• Privileged activity becomes invisible
• Lateral movement is undetectable
• Incident response is severely limited
• Regulatory and audit requirements cannot be met

Security Principle
In cloud environments, “If it is not logged, it effectively did not happen.”

Control 2.1

Ensure That Cloud Audit Logging Is Configured Properly Across All Projects

CIS ID: 2.1

• Section: Logging and Monitoring
• Severity: Critical
• Automatable: Yes
• Check Type: gcloud

Purpose & Risk

Cloud Audit Logs capture:

• Administrative activity
• IAM changes
• Policy modifications
• Service configuration updates

Disabling or misconfiguring these logs results in:

• No accountability for privileged actions
• No forensic trail after compromise
• Inability to meet compliance requirements

This is a direct detection and governance failure.

Secure Configuration Guidance

Ensure the following logs are enabled for all projects:

• Admin Activity (always on)
• Data Access (for critical services)
• System Events
• Policy Denied

Prefer:

• Organization-level configuration
• Centralised export to a logging project

Implementation Notes

Audit logging configuration:

gcloud projects get-iam-policy PROJECT_ID \
  --format=json

Check:

• AuditConfig entries
• Disabled log types
• Exclusions

For organization:

gcloud logging sinks list --organization=ORG_ID

Operational Considerations

• Enable Data Access logs at least for:
• IAM
• KMS
• Storage
• BigQuery
• Monitor: Logging exclusions, Sink failures, Retention changes

Control 2.2

Ensure That Cloud Audit Logs Are Retained for a Minimum Period

CIS ID: 2.2

• Section: Logging and Monitoring
• Severity: High
• Automatable: Yes
• Check Type: gcloud

Purpose & Risk

Short log retention leads to:

• Loss of forensic evidence
• Inability to investigate delayed detections
• Compliance violations

Attackers frequently:

• Remain dormant for weeks
• Perform slow privilege escalation

Short retention windows directly reduce detection capability.

Secure Configuration Guidance

Recommended minimum retention:

• 90 days for operational security
• 180–365 days for compliance and forensics

Apply retention at:

• Logging bucket level
• Central logging project

Implementation Notes

Audit retention policies:

gcloud logging buckets describe _Default \
  --location=global

Check:

• retentionDays
• locked status

Operational Considerations

• Use: Central logging project, Immutable retention for critical logs
• Export to: SIEM, Long-term archive (Coldline / BigQuery)

Control 2.3

Ensure That Log Exports Are Configured for Security Monitoring

CIS ID: 2.3

• Section: Logging and Monitoring
• Severity: High
• Automatable: Yes
• Check Type: gcloud

Purpose & Risk

Local-only logging introduces:

• Single point of failure
• Tampering risk
• No SOC visibility

Central export enables:

• Cross-project correlation
• SIEM ingestion
• Threat detection
• Compliance reporting

Secure Configuration Guidance

Configure:

• Organization-level sinks
• Export destinations: SIEM, BigQuery, Storage

Export at least:

• Admin Activity
• IAM changes
• Network logs
• Firewall logs

Implementation Notes

Audit sinks:

gcloud logging sinks list --organization=ORG_ID

Check:

• Destination type
• Included log types
• Sink permissions

Operational Considerations

• Protect sinks from deletion
• Monitor: Sink errors, Export latency
• Validate ingestion into SOC tooling

Control 2.4

Ensure That VPC Flow Logs Are Enabled for All Subnets

CIS ID: 2.4

• Section: Logging and Monitoring
• Severity: High
• Automatable: Yes
• Check Type: gcloud

Purpose & Risk

Without flow logs:

• Network lateral movement is invisible
• Exfiltration paths are hidden
• No traffic baselining is possible

This significantly weakens:

• Detection engineering
• Incident response
• Network forensics

Secure Configuration Guidance

Enable VPC Flow Logs on:

• All production subnets
• All shared VPC subnets
• All sensitive workloads

Prefer:

• Full metadata
• Sampling disabled or low

Implementation Notes

Audit subnets:

gcloud compute networks subnets list \
  --format="table(name,region,enableFlowLogs)"

Identify:

• Subnets with enableFlowLogs = false

Operational Considerations

• Balance: Visibility vs cost
• Export flow logs to: SIEM, BigQuery
• Correlate with: Firewall logs, Threat intel

Control 2.5

Ensure That Firewall Rules Logging Is Enabled

CIS ID: 2.5

• Section: Logging and Monitoring
• Severity: Medium
• Automatable: Yes
• Check Type: gcloud

Purpose & Risk

Without firewall logging:

• Blocked attacks are invisible
• Misconfigurations go unnoticed
• No visibility into rule effectiveness

This reduces:

• Network security posture awareness
• Attack detection capability

Secure Configuration Guidance

Enable logging for:

• Ingress deny rules
• High-risk allow rules
• Internet-facing rules

Prefer:

• Logging on all perimeter rules

Implementation Notes

Audit firewall rules:

gcloud compute firewall-rules list \
  --format="table(name,network,direction,logConfig.enable)"

Identify:

• Rules with logging disabled

Operational Considerations

• Monitor: Repeated denies, Unexpected allows
• Use logs for: Threat hunting, Rule optimisation

Next: CIS Section 3 — Networking

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html