Beta - Logs And Alerts Missing Custom Role Changes
- Query id: 69d4f245-d534-479e-8bcc-f6a836276dc8
- Query name: Beta - Logs And Alerts Missing Custom Role Changes
- Platform: Terraform
- Severity: Medium
- Category: Observability
- CWE: 778
- Risk score: 3.0
- URL: Github
Description¶
Ensure 'google_logging_metric' and 'google_monitoring_alert_policy' resources account for custom role changes such as 'DeleteRole'
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="Wrong_type"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
# incorrect filter
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 2 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/wrong_reference\""
# incorrect filter reference
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 3 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert (Log Match)"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_matched_log {
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.RandomMethod" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
# incorrect filter
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 4 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
}
}
# missing notification channels
}
Positive test num. 5 - tf file
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert (Log Match)"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition" # test for unusual spacing
condition_matched_log {
filter = <<-FILTER
resource.type = "iam_role"
AND ( protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName = "google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName = "google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName = "google.iam.admin.v1.UndeleteRole" )
FILTER
}
}
# missing notification channels
}
Positive test num. 6 - tf file
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
} # missing specific filter
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Positive test num. 7 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/editor")
FILTER
} # specific filter has additional condition at the end
Positive test num. 8 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="Wrong_type"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
# incorrect filter
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition"
condition_threshold {
filter = "resource.type=\"gce_instance\" AND metric.type=\"logging.googleapis.com/user/audit_config_change\""
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}
Negative test num. 2 - tf file
resource "google_logging_metric" "audit_config_change" {
name = "audit_config_change"
description = "Detects changes to audit configurations via SetIamPolicy"
filter = <<-FILTER
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR
protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName="google.iam.admin.v1.UndeleteRole")
FILTER
}
resource "google_monitoring_alert_policy" "audit_config_alert" {
display_name = "Audit Config Change Alert (Log Match)"
combiner = "OR"
conditions {
display_name = "Audit Config Change Condition" # test for unusual spacing
condition_matched_log {
filter = <<-FILTER
resource.type = "iam_role"
AND ( protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR
protoPayload.methodName = "google.iam.admin.v1.DeleteRole"
OR
protoPayload.methodName = "google.iam.admin.v1.UpdateRole" OR
protoPayload.methodName = "google.iam.admin.v1.UndeleteRole" )
FILTER
}
}
notification_channels = [google_monitoring_notification_channel.email.id]
}