CIS GCP 2.1 (Ensure Cloud Audit Logging is enabled for all services) requires: Admin Activity and Data Access audit logs must be enabled across all services. This is a high-severity control.

How does EchelonGraph detect CIS GCP 2.1 violations?

EchelonGraph automatically detects CIS GCP 2.1 violations using scanner rule GCP-LOG-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for CIS GCP 2.1?

Show the audit log configuration for all projects. Are Data Access logs enabled for BigQuery, Cloud Storage, and Cloud SQL? How long are audit logs retained? Who has access to modify audit log configurations?

🔷CIS GCP 2.1Rule: GCP-LOG-001high

Ensure Cloud Audit Logging is enabled for all services

Description

Admin Activity and Data Access audit logs must be enabled across all services.

⚠️ Risk Impact

Without audit logs, unauthorized access, data exfiltration, and privilege escalation cannot be detected or investigated.

🔍 How EchelonGraph Detects This

GCP-LOG-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected Google Cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🖥️ Manual Verification

terminal

gcloud projects get-iam-policy PROJECT_ID --format=json | jq '.auditConfigs'

🔧 Remediation

Configure audit logging at the organization level to cover all services and all log types.

💀 Real-World Attack Scenario

An attacker with stolen credentials accessed a GCP project where Data Access audit logs were not enabled. They read 45,000 records from BigQuery over 2 weeks. Because only Admin Activity logs were enabled (by default), the data reads were never logged. The breach was discovered 8 months later during a customer data audit.

💰 Cost of Non-Compliance

Breaches without complete audit logs take 292 days to detect vs. 197 days with logging (IBM 2024). The additional 95 days costs an average of $1.4M more. SOC 2 audit failure for missing logs: 3-6 month remediation delay.

📋 Audit Questions

1.Show the audit log configuration for all projects.
2.Are Data Access logs enabled for BigQuery, Cloud Storage, and Cloud SQL?
3.How long are audit logs retained?
4.Who has access to modify audit log configurations?

🎯 MITRE ATT&CK Mapping

T1562.008 — Disable Cloud LogsT1070 — Indicator Removal

🏗️ Infrastructure as Code Fix

main.tf

resource "google_project_iam_audit_config" "all_services" {
  project = var.project_id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_READ"
  }
  audit_log_config {
    log_type = "DATA_WRITE"
  }
}

⚡ Common Pitfalls

⛔Relying on default Admin Activity logs and not enabling Data Access logs
⛔Not monitoring for audit log configuration changes (attackers disable logging first)
⛔Audit log volume overwhelming Cloud Logging quotas without proper log sinks

📈 Business Value

Comprehensive audit logging is the foundation of incident response. Without it, you cannot detect, investigate, or prove the scope of a breach. It's required by every major compliance framework.

⏱️ Effort Estimate

Manual

1-2 hours to configure audit logging per project; ongoing cost monitoring

With EchelonGraph

EchelonGraph verifies audit log configuration across all projects in <60 seconds

🔗 Cross-Framework References

SOC2-CC7.2ISO27001-A.12.4.1HIPAA-164.312(b)PCI-10.1

Automate CIS GCP 2.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →