Currently I want to have a monitoring to know who and what is executing at the gcloud level, for example to know if someone executes:

gcloud iam service-accounts list.

The objective is to have a control in case an attacker or another person manages to enter and know the list of service accounts. The objective is to be able to visualize it through the Logs Explorer and then make a Sink towards the SIEM.

Can this be done?

CodePudding user response：

Everytime someone (or something ... eg Terraform) makes changes to your GCP environment or performs some sensitive access, audit records are automatically recorded and are immutable. This means that they can not be deleted or otherwise hidden. These audit records are written to GCP Cloud Logging and can be viewed/reviewed using the Cloud Logging explorer tools. Should you need, you can also set up alerts or other triggers that are automatically fired if certain log records (audit activities) are detected. The full documentation for GCP Audit Logs can be found here:

https://cloud.google.com/logging/docs/audit

Rather than try and repeat that information, let me encourage you to review that article in depth.

For the specific question on gcloud, it helps to realize that everything in GCP happens through API. This means that when you execute a gcloud command (anywhere), that results in an API request to perform the task being sent to GCP. It is here the GCP writes the audit records into the log.

As far as sinking the audit trail written to Cloud Logging to a SIEM, that is absolutely possible. My recommendation is to split the overall puzzle into parts. For part 1, prove to yourself that the audit records you care about are being written to Cloud Logging ... and for part 2, prove to yourself that any and all Cloud Logging records can (with filters) be exported out of Cloud Logging to an external SIEM or to GCP Cloud Storage for long term storage.