Skip to main content

More Info:

DATA_READ, DATA_WRITE and ADMIN_READ logs should be enabled on Cloud Functions

Risk Level

Medium

Address

Operational Maturity, Reliability, Security

Compliance Standards

CISGCP, CBP, GDPR, HIPAA, ISO27001

Triage and Remediation

  • Remediation

Remediation

Using Console

To remediate the misconfiguration “Cloud Functions Logging Should Be Enabled” for GCP using GCP console, follow the steps below:
  1. Open the Google Cloud Console and select the project where the Cloud Function is located.
  2. Navigate to the Cloud Functions page by selecting “Cloud Functions” from the left-hand menu.
  3. Select the Cloud Function for which you want to enable logging.
  4. Click on the “Edit” button on the top of the page to edit the Cloud Function settings.
  5. Scroll down to the “Logging” section and click on the “Enable” button to enable logging for the Cloud Function.
  6. Choose the desired log level and log retention period.
  7. Click on the “Save” button to save the changes.
Once logging is enabled for the Cloud Function, you will be able to see the logs in the Stackdriver Logging Console.

To remediate the misconfiguration of “Cloud Functions Logging Should Be Enabled” in GCP using GCP CLI, follow the below steps:Step 1: Open the Google Cloud SDK Shell or any other terminal.Step 2: Run the following command to enable logging for all Cloud Functions in the current project:
gcloud functions deploy FUNCTION_NAME --enable-logging
Note: Replace FUNCTION_NAME with the name of the function for which you want to enable logging.Step 3: Verify that the logging is enabled for the Cloud Function by running the following command:
gcloud functions describe FUNCTION_NAME
Note: Replace FUNCTION_NAME with the name of the function for which you enabled logging.Step 4: Look for the loggingEnabled field in the output of the above command. It should be set to true indicating that logging is enabled for the Cloud Function.Step 5: Repeat the above steps for all the Cloud Functions in the project to ensure that logging is enabled for all of them.By following these steps, you can remediate the misconfiguration of “Cloud Functions Logging Should Be Enabled” in GCP using GCP CLI.
To remediate the misconfiguration “Cloud Functions Logging Should Be Enabled” in GCP using Python, follow these steps:
  1. Open the Google Cloud Console and go to the Cloud Functions section.
  2. Select the function for which you want to enable logging.
  3. Click on the “Edit” button at the top of the page.
  4. Scroll down to the “Logging” section and click on the “Enable” button.
  5. Select the log level you want to enable (e.g., “Debug”, “Info”, “Warning”, “Error”, or “Critical”).
  6. Click on the “Save” button to save the changes.
Alternatively, you can use the gcloud command-line tool to enable logging for the function. Here’s an example command:
gcloud functions update FUNCTION_NAME --log-http --verbosity=debug
Replace FUNCTION_NAME with the name of your function. The --log-http flag enables HTTP request logging, and the --verbosity flag sets the log level to “debug”. You can change the log level as needed.Once you’ve enabled logging for the function, you can view the logs in the Cloud Logging section of the Google Cloud Console.

Additional Reading:

I