IAM default audit log config should not exempt any users Affecting Monitor service in Google

Severity Framework Snyk CCSS

Rule category Logging / Accounts Monitoring

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CIS-Google HIPAA ISO-27001 NIST-800-53 PCI-DSS

Snyk ID SNYK-CC-00406
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

IAM default audit log config should not exempt any users. A project's default audit log config should not exempt any users, to ensure that user admin write operations and data access operations are appropriately logged.

How to fix?

IAM default audit log config should not exempt any users.

Example Configuration

resource "google_project_iam_audit_config" "allowed" {
  service = "allServices"
  project = "my-project"

  audit_log_config {
    log_type = "DATA_READ"
  }

  audit_log_config {
    log_type = "DATA_WRITE"
  }
}

Terraform

google_project_iam_audit_config