Cloud Storage Bucket Logging Not Enabled

  • Query id: d6cabc3a-d57e-48c2-b341-bf3dd4f4a120
  • Query name: Cloud Storage Bucket Logging Not Enabled
  • Platform: Terraform
  • Severity: Medium
  • Category: Observability
  • CWE: 778
  • URL: Github

Description

Cloud storage bucket should have logging enabled
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - tf file
resource "google_storage_bucket" "positive1" {
  name          = "auto-expiring-bucket"
  location      = "US"
  force_destroy = true

  lifecycle_rule {
    condition {
      age = 3
    }
    action {
      type = "Delete"
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - tf file
resource "google_storage_bucket" "negative1" {
  name          = "auto-expiring-bucket"
  location      = "US"
  force_destroy = true

  logging {
    logBucket = "example-logs-bucket"
  }

  lifecycle_rule {
    condition {
      age = 3
    }
    action {
      type = "Delete"
    }
  }
}