At least one project-level logging sink does not contain an empty filter Affecting Monitor service in Google

Severity Framework Snyk CCSS

Rule category Logging / Logging

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google HIPAA ISO-27001 NIST-800-53 PCI-DSS SOC-2

Snyk ID SNYK-CC-00438
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

A Sink with no filter captures all log entries, ensuring comprehensive analysis, troubleshooting, and compliance auditing. It acts as a safety net, preventing valuable logs from being missed, providing a centralized repository for incident investigations.

How to fix?

Remove the filter attribute from at least one project-level logging sink.

Example configuration

resource "google_logging_project_sink" "pubsub_sink" {
  name        = "example438d1"
  destination = "pubsub.googleapis.com/${google_pubsub_topic.aggregated_logs438d1.id}"
}

Terraform

google_logging_project_sink

References

Sinks