CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00435
- creditSnyk Research Team
Description
Audit logs in Google Cloud capture admin and data access activity. These logs aid security analysis, track resource changes, and ensure compliance. Setting up metric filters and alerts for audit config changes prevents unauthorized or accidental modifications that could hinder investigations or audits.
How to fix?
Ensure a google_logging_metric and google_monitoring_alert_policy are configured for audit configuration changes.
Example Configuration
resource "google_logging_metric" "allowed" {
name = "audit_config_alert"
filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
unit = "1"
}
}
resource "google_monitoring_alert_policy" "allowed" {
depends_on = [google_logging_metric.allowed]
display_name = "Alert Policy"
combiner = "OR"
conditions {
display_name = "condition"
condition_threshold {
filter = "resource.type=\"global\" metric.type=\"logging.googleapis.com/user/audit_config_alert\""
duration = "60s"
comparison = "COMPARISON_GT"
}
}
}