Severity Framework
Snyk CCSS
Rule category
Logging / Accounts Monitoring
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
CIS-Controls
CIS-Google
HIPAA
ISO-27001
NIST-800-53
PCI-DSS
- Snyk ID SNYK-CC-00436
- credit Snyk Research Team
Description
Google Cloud's custom roles stem from predefined ones, granting precise access to its resources. To pinpoint over-privileged roles, set up metric filters and alarms for altered predefined roles. Tracking role creation, deletion, and updates aids in early detection of excessive privileges.
How to fix?
Ensure a google_logging_metric and google_monitoring_alert_policy are configured for custom role changes.
Example Configuration
resource "google_logging_metric" "allowed1" {
name = "audit_config_alert_1"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_logging_metric" "allowed2" {
name = "audit_config_alert_2"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_logging_metric" "allowed3" {
name = "audit_config_alert_3"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_logging_metric" "allowed4" {
name = "audit_config_alert"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\" OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}