IssueTracker

This will create a feature request which anybody can view and comment on.

Please describe your requested enhancement. Good feature requests will solve common problems or enable new use cases.

What you would like to accomplish:
As a product owner, I want to improve the tools: gcloud storage, gsutil and the Cloud Storage console UI so that from the GCP audit logs of the source GCP organization we can identify when data is copied to an external gcp organization.


How this might work:
The log event including both the source and destination information such as: source & target bucket names, a flag identifying if the destination bucket is external or internal of the source gcp organization.

If applicable, reasons why alternative solutions are not sufficient:


Other information (workarounds you have tried, documentation consulted, etc):
-> WORKAROUND EXPLORED:
We have implemented VPC Service Controls that successfully block the external copy and even generate the UPLOAD event within the source gcp organization. However, we need a solution that does not rely on the VPC SC logs since the VPC SC could be misconfigured or for example not covering some projects�willingly or by mistake.
Adding the destination IP in the logs is considered not adequate since as the target is a gcp organization it will be part of the Google IP ranges that are mutualized for all customers.

-> BUSINESS IMPACT:
Loss of company data is a high risk especially for companies in heavily regulated industries - with financial results, competitive advantage, Intellectual Property, and corporate reputation all at risk.
Sensitive information is regulated by specific data classification directives, for specific data types per internal regulations, and by external regulations such as export control or General Data Protection Regulation (GDPR).
Computing such sensitive information into GCP implies for most companies to implement some security controls in order to protect their data accordingly against specific risks (in this particular case, the main threat is related to data leakage).
To comply with those different standards, most companies in heavily regulated industries implement some security controls, which can turn into security compliance rules for the Cloud Security Posture Management and security incident detection use cases for the Security Operations Center.
Hence, getting visibility on the most critical events is of the utmost importance in order to enforce the required security controls, and in particular to detect and prevent unauthorized data transfer from internal devices through various channels.

-> LOG EXAMPLE:
Current gsutil GET log event found in the source gcp organization, which do not contain information about the destination:
{
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"status": {},
"authenticationInfo": {
"principalEmail": "xxx.xxxx@xxx.xxx"
},
"requestMetadata": {
"callerIp": "xx.xx.xx.xx",
"callerSuppliedUserAgent": "apitools Python/3.9.2 gsutil/5.20 (linux) analytics/disabled interactive/True command/cp google-cloud-sdk/420.0.0,gzip(gfe)",
"requestAttributes": {
"time": "2023-03-15T09:30:22.046795323Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "storage.googleapis.com",
"methodName": "storage.objects.get",
"authorizationInfo": [
{
"resource": "projects/_/buckets/source_bucket_xxx/objects/*objectname*",
"permission": "storage.objects.get",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/_/buckets/source_bucket_xxx/objects/*objectname*",
"resourceLocation": {
"currentLocations": [
"xx"
]
}
},
"insertId": "xxxxxxxx",
"resource": {
"type": "gcs_bucket",
"labels": {
"project_id": "source_project_id",
"location": "xx",
"bucket_name": "source_bucket_xxx"
}
},
"timestamp": "2023-03-15T09:30:22.040904183Z",
"severity": "INFO",
"logName": "projects/source_project_id/logs/cloudaudit.googleapis.com%2Fdata_access",
"receiveTimestamp": "2023-03-15T09:30:22.062616651Z"
}