Auditing Your Backup Storage on Google Cloud Platform (GCP)

Auditing Your Backup Storage on Google Cloud Platform (GCP)

Andrew Abwoga
09 June 2020

 

Auditing is critical when it comes to tracking changes - both legitimate and malicious - to your backups. By recording and tracking backup related activity, you stand a chance of ensuring that the security of your backups is in check. This blog takes you through some tips on how to set up and use Google Cloud Platform's (GCP's) audit features for your backup storage.

The most common way to audit your backup storage is by reviewing the cloud audit logs. GCP maintains three kinds of cloud audit logs at a project, folder, or organization level. The logs that are maintained are Admin Activity, Data Access, and System Event logs. The main goal of these logs is to be able to answer the questions of "who did what, where, and when?". Going forward, we discuss access controls, audit logs, and summarize tips to ensure you can effectively protect and audit your backup storage.

Access Controls

Auditing is relative to the access controls that apply to your storage. Before thinking about auditing, it's essential to have a pre-existing access control policy, or rather; access controls that have already been applied to your backup storage. GCP allows you to authenticate subjects and define permissions or access control lists (ACL's) to your storage. With the appropriate access given, your audits logs only become a portrayal of the access controls put in place before auditing. As such, it's essential to think about access controls as you think about auditing your backup storage.

Authentication

Cloud storage can be accessed using the authentication methods below:

  1. OAuth 2.0 used for API authentication and authorization. Usually, cloud storage is accessed using a server-centric flow where an application holds the credentials of a service account to complete authentication or a user-centric flow where a user supplies credentials to an application so that it can access the storage.
  2. gsutil authentication can be used to authenticate with service account credentials.
  3. Client library authentication is used by libraries to access storage using Application Default Credentials.

Also, GCP supports a couple of credential types for accessing storage. The credential types used are:

  1. OAuth2 User Account
  2. Hash Message Authentication Code (HMAC)
  3. OAuth2 Service Account,
  4. GCE Internal Service Account
  5. Service Account Impersonation.

HMAC keys are commonly used to access cloud storage on behalf of a user. HMAC key is essentially a combination of an access ID and a secret. Backup Ninja uses HMAC keys supplied by the user to access and store backups on Google storage buckets. It’s important to ensure that the secret key is kept secret to prevent unauthorized access to your backups.

For you to retrieve a user HMAC key combination from Google console you can follow the following steps:

  1. Open the Cloud Storage browser in the Google Cloud Console.
  2. Click Settings on the left menu bar.
  3. Select the Interoperability tab.
  4. Click + Create a key under the Service account HMAC section in case you have a dedicated service account for doing your backups or you can also create a User account HMAC under the User account HMAC section. Creating a User account HMAC will require you to specify a Default project for interoperability. The screenshot below shows the Service account and User account HMAC section respectively.
GCP Access Controls

After you get the HMAC key combination generated, you can input the access ID and secret respectively, on Backup Ninja’s cloud credentials section as requested in the screenshot below.

Backup Ninja Access Controls

It’s also important to ensure that your backup storage cannot be accessed anonymously by anyone on the internet. This is possible if the allUsers group has READ permissions on a storage object.

Authorization

In GCP, pre-defined roles and permissions are applied to cloud storage. Below are the roles and permissions that apply to GCP cloud storage.

  1. Storage Object Creator Role  
    1. Has permission to create storage objects. (storage.objects.create)
  2. Storage Object Viewer Role 
    1. Has permission to view objects and their metadata. (storage.objects.get)
    2. Has permission to list objects in a bucket. (storage.objects.list)
  3. Storage Object Admin Role 
    1. Has permission to list, create, view, and delete objects. (storage.objects.*)
  4. Storage Admin
    1. Has full permissions over buckets and their objects. (storage.buckets.* and storage.objects.*)

GCP also gives you the ability to create granular access levels that apply to individual objects within a bucket by using ACL's. With this level of granularity, you can define "who has access" to individual buckets and objects, as well as "what level of access" they have. ACL's mainly consist of one or more entries. An entry gives a specific user (or group) the ability to perform specific actions on the bucket or object. However, it can be tedious to micro-manage access by working with multiple ACL entries. Google recommends the use of Cloud IAM where you can apply permissions that are common to all objects within a bucket.

Auditing

Admin Activity and System Event logs

Admin activity logs pertain to the modification of configuration or metadata of a bucket or object. You don't necessarily need to enable admin activity logs on GCP since it's enabled out-of-the-box. On the other hand, System event logs contain entries for Google Cloud administrative actions that modify the configuration of resources. They are also enabled out-of-the-box.

Data Access logs

Data access logs pertain to activity that creates, modifies, or reads user-provided resource data. Data access logs are not enabled out-of-the-box. For you to be able to track any user-related activity on your cloud storage you need to enable data access logs. In most cases, data access logs will be your go-to logs for doing an investigation. Below we look at how to enable data access logs. 

How to enable data access logs
  1. Login and select the navigation menu icon on Google Cloud Console.
  2. Select IAM & Admin option.
  3. Navigate further on the sub-menu that appears to the right of the menu and select Audit logs.
  4. Find Google Cloud Storage item on the main bar and check it.
  5. Select Admin Read, Data Read, and Data Write on the right menu that appears and Save.
How to enable data access logs GCP

Conclusion

All that has been discussed in the previous sections cumulates to the tips below:

  1. Ensure you implement an access control policy. That is by defining who or what needs access to your backup, how they can authenticate to access the backups, and what level of access or permissions they need.
  2. Keep your secret keys secret.
  3. Ensure your cloud storage cannot be accessed anonymously, by anyone on the internet. 
  4. Enable data access logs to be able to track user-related activity that pertains to your buckets and objects. 
  5. Create a habit of regularly reviewing audit logs and revising access entitlements for different applications or users.