Policy: GCP > CIS v3.0 > 2 - Logging and Monitoring
This section covers recommendations addressing Logging and Monitoring on Google Cloud Platform.
Targets
This policy targets the following resource types:
Primary Policy
This policy is used with the following primary policy:
Related Policies
- 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
- 2.02 - Ensure That Sinks Are Configured for All Log Entries
- 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
- 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
- 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
- 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
- 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
- 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
- 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
- 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
- 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
- 2.12 - Ensure That Cloud DNS Logging Is Enabled for All VPC Networks
- 2.13 - Ensure Cloud Asset Inventory Is Enabled
- 2.14 - Ensure 'Access Transparency' is 'Enabled'
- 2.15 - Ensure 'Access Approval' is 'Enabled'
- 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
- Maximum Attestation Duration
Controls
Setting this policy configures these controls:
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.01 - Ensure That Cloud Audit Logging Is Configured Properly
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.02 - Ensure That Sinks Are Configured for All Log Entries
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.03 - Ensure That Retention Policies on Cloud Storage Buckets Used for Exporting Logs Are Configured Using Bucket Lock
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.05 - Ensure That the Log Metric Filter and Alerts Exist for Audit Configuration Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.06 - Ensure That the Log Metric Filter and Alerts Exist for Custom Role Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.07 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Firewall Rule Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.08 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Route Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.09 - Ensure That the Log Metric Filter and Alerts Exist for VPC Network Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.10 - Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.11 - Ensure That the Log Metric Filter and Alerts Exist for SQL Instance Configuration Changes
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.13 - Ensure Cloud Asset Inventory Is Enabled
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.14 - Ensure 'Access Transparency' is 'Enabled'
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.15 - Ensure 'Access Approval' is 'Enabled'
- GCP > CIS v3.0 > 2 - Logging and Monitoring > 2.16 - Ensure Logging is enabled for HTTP(S) Load Balancer
Policy Specification
Schema Type | |
|---|---|
Default | |
Valid Values [YAML] |
|
Examples [YAML] |
|
Category
In Your Workspace
Developers
- tmod:@turbot/cis#/control/categories/cis
- tmod:@turbot/gcp-cisv3-0#/policy/types/s02
- turbot graphql policy-type --id "tmod:@turbot/gcp-cisv3-0#/policy/types/s02"
- turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/gcp-cisv3-0#/policy/types/s02"
Get Policy TypeGet Policy Settings
Category URI
Policy Type URI
GraphQL
CLI