Logging metric filter and alert for audit configuration changes are not configured Affecting Monitor service in Google

Snyk CCSS

Logging / Logging

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Google CSA-CCM HIPAA ISO-27001 NIST-800-53 PCI-DSS

Snyk ID SNYK-CC-00435
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

Audit logs in Google Cloud capture admin and data access activity. These logs aid security analysis, track resource changes, and ensure compliance. Setting up metric filters and alerts for audit config changes prevents unauthorized or accidental modifications that could hinder investigations or audits.

How to fix?

Ensure a google_logging_metric and google_monitoring_alert_policy are configured for audit configuration changes.

Example Configuration

resource "google_logging_metric" "allowed" {
  name   = "audit_config_alert"
  filter = "protoPayload.methodName=\"SetIamPolicy\" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"

  metric_descriptor {
    value_type  = "INT64"
    metric_kind = "DELTA"
    unit        = "1"
  }
}

resource "google_monitoring_alert_policy" "allowed" {
  depends_on   = [google_logging_metric.allowed]
  display_name = "Alert Policy"
  combiner     = "OR"
  conditions {
    display_name = "condition"
    condition_threshold {
      filter     = "resource.type=\"global\" metric.type=\"logging.googleapis.com/user/audit_config_alert\""
      duration   = "60s"
      comparison = "COMPARISON_GT"
    }
  }
}

Terraform

References

Log-based metrics overview