The Google Cloud audit logs service records administrative activities and accesses to Google Cloud resources of the project. It is important to
enable audit logs to be able to investigate malicious activities in the event of a security incident.
Some project members may be exempted from having their activities recorded in the Google Cloud audit log service, creating a blind spot and
reducing the capacity to investigate future security events.
Ask Yourself Whether
- The members exempted from having their activity logged have high privileges.
- Compliance rules require that audit log should be activated for all members.
There is a risk if you answered yes to any of those questions.
Recommended Secure Coding Practices
It is recommended to have a consistent audit logging policy for all project members and therefore not to create logging exemptions for certain
members.
Sensitive Code Example
resource "google_project_iam_audit_config" "example" {
project = data.google_project.project.id
service = "allServices"
audit_log_config {
log_type = "ADMIN_READ"
exempted_members = [ # Sensitive
"user:rogue.administrator@gmail.com",
]
}
}
Compliant Solution
resource "google_project_iam_audit_config" "example" {
project = data.google_project.project.id
service = "allServices"
audit_log_config {
log_type = "ADMIN_READ"
}
}
See
