rspec/rules/S6414/terraform/rule.adoc

The Google Cloud audit logs service records administrative activities and accesses to Google Cloud resources of the project. It is important to enable audit logs to be able to investigate malicious activities in the event of a security incident. 

Some project members may be exempted from having their activities recorded in the Google Cloud audit log service, creating a blind spot and reducing the capacity to investigate future security events.


== Ask Yourself Whether

* The members exempted from having their activity logged have high privileges.
* Compliance rules require that audit log should be activated for all members.

There is a risk if you answered yes to any of those questions.

== Recommended Secure Coding Practices

It is recommended to have a consistent audit logging policy for all project members and therefore not to create logging exemptions for certain members.


== Sensitive Code Example

[source,terraform]
----
resource "google_project_iam_audit_config" "example" {
  project = data.google_project.project.id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
    exempted_members = [ # Sensitive
      "user:rogue.administrator@gmail.com",
    ]
  }
}
----

== Compliant Solution

[source,terraform]
----
resource "google_project_iam_audit_config" "example" {
  project = data.google_project.project.id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
}
----

== See

* https://cloud.google.com/logging/docs/audit[GCP Documentation] - Cloud Audit Logs overview


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure excluding members activity from audit logs is safe here.


=== Highlighting

* Highlight the whole exempted_members array if not empty.


endif::env-github,rspecator-view[]