The Google Cloud Audit Logs service records administrative activities and accesses to project resources, but individual project members can be exempted from having their activities logged.
Creating audit log exemptions for project members creates blind spots in the audit trail. Activities performed by exempted members are not
recorded, reducing the ability to detect and investigate security incidents. This rule raises an issue when a
google_project_iam_audit_config resource defines a non-empty exempted_members list.
If a privileged account is exempted from audit logging and is later compromised, its malicious activities will not appear in audit logs. This delays detection and incident response, and may allow an attacker to persist undetected for an extended period.
resource "google_project_iam_audit_config" "example" {
project = data.google_project.project.id
service = "allServices"
audit_log_config {
log_type = "ADMIN_READ"
exempted_members = [ # Noncompliant
"user:rogue.administrator@example.com",
]
}
}
resource "google_project_iam_audit_config" "example" {
project = data.google_project.project.id
service = "allServices"
audit_log_config {
log_type = "ADMIN_READ"
}
}