Search code examples
google-cloud-storagegoogle-iamgoogle-cloud-logging

Google Storage AuditLogs - finding who is trying to access

I have a google storage bucket with Audit Logs enabled. Every one\two days I getting logs about PERMISSION DENIED. The log is specifying what kind of access the requestor is asking for. But, not give me enough information to answer the question - who is requesting?

This is the log message:

{
    "insertId": "rr6wsd...",
    "logName": "projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Fdata_access",
    "protoPayload": {
        "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
        "authenticationInfo": {},
        "authorizationInfo": [
            {
                "permission": "storage.buckets.get",
                "resource": "projects//buckets/BUCKET_NAME",
                "resourceAttributes": {}
            }
        ],
        "methodName": "storage.buckets.get",
        "requestMetadata": {
            "callerSuppliedUserAgent": "Blob/1 (cr/340918833)",
            "destinationAttributes": {},
            "requestAttributes": {
                "auth": {},
                "reason": "8uSywAZKWkhOZWVkZWQg...",
                "time": "2021-01-20T03:43:38.405230045Z"
            }
        },
        "resourceLocation": {
            "currentLocations": [
                "us-central1"
            ]
        },
        "resourceName": "projects//buckets/BUCKET_NAME",
        "serviceName": "storage.googleapis.com",
        "status": {
            "code": 7,
            "message": "PERMISSION_DENIED"
        }
    },
    "receiveTimestamp": "2021-01-20T03:43:38.488787956Z",
    "resource": {
        "labels": {
            "bucket_name": "BUCKET_NAME",
            "location": "us-central1",
            "project_id": "PROJECT_ID"
        },
        "type": "gcs_bucket"
    },
    "severity": "ERROR",
    "timestamp": "2021-01-20T03:43:38.399417759Z"
}

As you can see, the only information who talking about "who is trying to access" is

"callerSuppliedUserAgent": "Blob/1 (cr/340918833)",

But what that means? mean nothing to me.

How I can understand who is trying to access this permission?

Solution

  • The callerSuppliedUserAgent can be anything the client application puts in their request headers - Ignore it as this header can be faked. Only legitimate applications put anything meaningful in the header.

    This is an unauthenticated request. There is no identity to record. Most likely a troll scanning the Internet looking for open buckets.

    Notice that the auth key is empty. No authorization was provided in the request.

    "requestAttributes": {
    "auth": {},
    "reason": "8uSywAZKWkhOZWVkZWQg...",
    "time": "2021-01-20T03:43:38.405230045Z"
}