rspec/rules/S6414/terraform/rule.adoc

The Google Cloud audit logs service records administrative activities and accesses to Google Cloud resources of the project. It is important to enable audit logs to be able to investigate malicious activities in the event of a security incident. 

Some project members may be exempted from having their activities recorded in the Google Cloud audit log service, creating a blind spot and reducing the capacity to investigate future security events.


== Ask Yourself Whether

* The members exempted from having their activity logged have high privileges.
* Compliance rules require that audit log should be activated for all members.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

It is recommended to have a consistent audit logging policy for all project members and therefore not to create logging exemptions for certain members.


== Sensitive Code Example

[source,terraform]
----
resource "google_project_iam_audit_config" "example" {
  project = data.google_project.project.id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
    exempted_members = [ # Sensitive
      "user:rogue.administrator@gmail.com",
    ]
  }
}
----

== Compliant Solution

[source,terraform]
----
resource "google_project_iam_audit_config" "example" {
  project = data.google_project.project.id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
}
----

== See

* https://cloud.google.com/logging/docs/audit[GCP Documentation] - Cloud Audit Logs overview


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure excluding members activity from audit logs is safe here.


=== Highlighting

* Highlight the whole exempted_members array if not empty.


endif::env-github,rspecator-view[]
Modify S6414: Fix Ask-yourself (#2536) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-07-19 15:34:51 +02:00			`The Google Cloud audit logs service records administrative activities and accesses to Google Cloud resources of the project. It is important to enable audit logs to be able to investigate malicious activities in the event of a security incident.`
Create rule S6414[terraform]: Excluding users or groups activities from audit logs is security-sensitive (#805) * Create rule S6414 * init s6414 * fixes after review * fix noncompliant sample * Fix typo in the rule title * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-04 12:52:46 +00:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`Some project members may be exempted from having their activities recorded in the Google Cloud audit log service, creating a blind spot and reducing the capacity to investigate future security events.`


			`== Ask Yourself Whether`

			`* The members exempted from having their activity logged have high privileges.`
			`* Compliance rules require that audit log should be activated for all members.`

Modify S6414: Fix Ask-yourself (#2536) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-07-19 15:34:51 +02:00			`There is a risk if you answered yes to any of those questions.`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00
			`== Recommended Secure Coding Practices`

			`It is recommended to have a consistent audit logging policy for all project members and therefore not to create logging exemptions for certain members.`
Create rule S6414[terraform]: Excluding users or groups activities from audit logs is security-sensitive (#805) * Create rule S6414 * init s6414 * fixes after review * fix noncompliant sample * Fix typo in the rule title * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-04 12:52:46 +00:00

			`== Sensitive Code Example`
Modify S6414: Fix Ask-yourself (#2536) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-07-19 15:34:51 +02:00
Create rule S6414[terraform]: Excluding users or groups activities from audit logs is security-sensitive (#805) * Create rule S6414 * init s6414 * fixes after review * fix noncompliant sample * Fix typo in the rule title * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-04 12:52:46 +00:00			`[source,terraform]`
			`----`
			`resource "google_project_iam_audit_config" "example" {`
			`project = data.google_project.project.id`
			`service = "allServices"`
			`audit_log_config {`
			`log_type = "ADMIN_READ"`
			`exempted_members = [ # Sensitive`
			`"user:rogue.administrator@gmail.com",`
			`]`
			`}`
			`}`
			`----`

			`== Compliant Solution`
Modify S6414: Fix Ask-yourself (#2536) ## Review A dedicated reviewer checked the rule description successfully for: - [x] logical errors and incorrect information - [x] information gaps and missing content - [x] text style and tone - [x] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-07-19 15:34:51 +02:00
Create rule S6414[terraform]: Excluding users or groups activities from audit logs is security-sensitive (#805) * Create rule S6414 * init s6414 * fixes after review * fix noncompliant sample * Fix typo in the rule title * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-04 12:52:46 +00:00			`[source,terraform]`
			`----`
			`resource "google_project_iam_audit_config" "example" {`
			`project = data.google_project.project.id`
			`service = "allServices"`
			`audit_log_config {`
			`log_type = "ADMIN_READ"`
			`}`
			`}`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== See`

			`* https://cloud.google.com/logging/docs/audit[GCP Documentation] - Cloud Audit Logs overview`

Create rule S6414[terraform]: Excluding users or groups activities from audit logs is security-sensitive (#805) * Create rule S6414 * init s6414 * fixes after review * fix noncompliant sample * Fix typo in the rule title * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-04 12:52:46 +00:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure excluding members activity from audit logs is safe here.`


			`=== Highlighting`

			`* Highlight the whole exempted_members array if not empty.`
Create rule S6414[terraform]: Excluding users or groups activities from audit logs is security-sensitive (#805) * Create rule S6414 * init s6414 * fixes after review * fix noncompliant sample * Fix typo in the rule title * Add code highlighted tag to code example Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Pierre-Loup Tristant <pierre-loup.tristant@sonarsource.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-03-04 12:52:46 +00:00

			`endif::env-github,rspecator-view[]`