CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00436
- creditSnyk Research Team
Description
Google Cloud's custom roles stem from predefined ones, granting precise access to its resources. To pinpoint over-privileged roles, set up metric filters and alarms for altered predefined roles. Tracking role creation, deletion, and updates aids in early detection of excessive privileges.
How to fix?
Ensure a google_logging_metric and google_monitoring_alert_policy are configured for custom role changes.
Example Configuration
resource "google_logging_metric" "allowed1" {
name = "audit_config_alert_1"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_logging_metric" "allowed2" {
name = "audit_config_alert_2"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_logging_metric" "allowed3" {
name = "audit_config_alert_3"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}
resource "google_logging_metric" "allowed4" {
name = "audit_config_alert"
filter = "resource.type=\"iam_role\" AND protoPayload.methodName = \"google.iam.admin.v1.CreateRole\" OR protoPayload.methodName=\"google.iam.admin.v1.DeleteRole\" OR protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\""
metric_descriptor {
value_type = "INT64"
metric_kind = "DELTA"
}
}