app_engine_application_iap_enabledaudit_logging_configured_for_all_servicebigquery_dataset_encrypted_with_cmkbigquery_dataset_not_publicly_accessiblebigquery_dataset_restrict_gmailbigquery_dataset_restrict_googlegroupsbigquery_table_encrypted_with_cmkcloudfunction_function_no_deployments_manager_permissioncloudfunction_function_no_disrupt_logging_permissioncloudfunction_function_no_ingress_settings_allow_allcloudfunction_function_restrict_public_accesscloudfunction_function_restricted_permissioncloudfunction_function_vpc_connector_enabledcloudrun_service_restrict_public_accesscompute_backend_bucket_no_dangling_storage_bucketcompute_disk_encrypted_with_cskcompute_external_backend_service_iap_enabledcompute_firewall_allow_connections_proxied_by_iapcompute_firewall_allow_tcp_connections_proxied_by_iapcompute_firewall_default_rule_restrict_ingress_access_except_http_and_httpscompute_firewall_rule_ingress_access_restricted_to_dns_port_53compute_firewall_rule_ingress_access_restricted_to_ftp_port_21compute_firewall_rule_ingress_access_restricted_to_http_port_80compute_firewall_rule_ingress_access_restricted_to_microsoft_ds_port_445compute_firewall_rule_ingress_access_restricted_to_mongo_db_port_27017compute_firewall_rule_ingress_access_restricted_to_mysql_db_port_3306compute_firewall_rule_ingress_access_restricted_to_netbios_snn_port_139compute_firewall_rule_ingress_access_restricted_to_oracle_db_port_1521compute_firewall_rule_ingress_access_restricted_to_pop3_port_110compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10250compute_firewall_rule_ingress_access_restricted_to_postgresql_port_10255compute_firewall_rule_ingress_access_restricted_to_postgresql_port_5432compute_firewall_rule_ingress_access_restricted_to_smtp_port_25compute_firewall_rule_ingress_access_restricted_to_telnet_port_23compute_firewall_rule_rdp_access_restrictedcompute_firewall_rule_restrict_ingress_allcompute_firewall_rule_restrict_ingress_all_with_no_specific_targetcompute_firewall_rule_ssh_access_restrictedcompute_https_load_balancer_logging_enabledcompute_instance_block_project_wide_ssh_enabledcompute_instance_confidential_computing_enabledcompute_instance_ip_forwarding_disabledcompute_instance_no_data_destruction_permissioncompute_instance_no_database_write_permissioncompute_instance_no_deployments_manager_permissioncompute_instance_no_disrupt_logging_permissioncompute_instance_no_iam_write_permissioncompute_instance_no_service_account_impersonate_permissioncompute_instance_no_write_permission_on_deny_policycompute_instance_oslogin_enabledcompute_instance_preemptible_termination_disabledcompute_instance_serial_port_connection_disabledcompute_instance_shielded_vm_enabledcompute_instance_template_ip_forwarding_disabledcompute_instance_with_custom_metadatacompute_instance_with_no_default_service_accountcompute_instance_with_no_default_service_account_with_full_accesscompute_instance_with_no_public_ip_addressescompute_instance_wth_no_high_level_basic_rolecompute_network_auto_create_subnetwork_enabledcompute_network_contains_no_default_networkcompute_network_contains_no_legacy_networkcompute_network_dns_logging_enabledcompute_ssl_policy_with_no_weak_ciphercompute_subnetwork_flow_log_enabledcompute_subnetwork_private_ip_google_accesscompute_target_https_proxy_quic_protocol_enabledcompute_target_https_proxy_quic_protocol_no_default_ssl_policycompute_target_https_uses_latest_tls_versiondataproc_cluster_encryption_with_cmekdns_managed_zone_dnssec_enableddns_managed_zone_key_signing_not_using_rsasha1dns_managed_zone_zone_signing_not_using_rsasha1iam_api_key_age_90iam_api_key_restricts_apisiam_api_key_restricts_websites_hosts_appsiam_service_account_gcp_managed_keyiam_service_account_key_age_100iam_service_account_key_age_90iam_service_account_without_admin_privilegeiam_user_denylist_publiciam_user_kms_separation_of_duty_enforcediam_user_not_assigned_service_account_user_role_project_leveliam_user_separation_of_duty_enforcediam_user_uses_corporate_login_credentialskms_key_not_publicly_accessiblekms_key_rotated_within_100_daykms_key_rotated_within_90_daykms_key_separation_of_duties_enforcedkubernetes_cluster_auto_repair_enabledkubernetes_cluster_auto_upgrade_enabledkubernetes_cluster_binary_authorization_enabledkubernetes_cluster_client_certificate_authentication_enabledkubernetes_cluster_dashboard_disabledkubernetes_cluster_database_encryption_enabledkubernetes_cluster_http_load_balancing_enabledkubernetes_cluster_incoming_traffic_open_to_allkubernetes_cluster_intra_node_visibility_enabledkubernetes_cluster_kubernetes_alpha_enabledkubernetes_cluster_legacy_abac_enabledkubernetes_cluster_legacy_endpoints_disabledkubernetes_cluster_logging_enabledkubernetes_cluster_master_authorized_networks_config_enabledkubernetes_cluster_monitoring_enabledkubernetes_cluster_network_policy_enabledkubernetes_cluster_network_policy_installedkubernetes_cluster_no_default_networkkubernetes_cluster_node_config_image_cos_containerdkubernetes_cluster_node_no_default_service_accountkubernetes_cluster_private_cluster_config_enabledkubernetes_cluster_private_nodes_configuredkubernetes_cluster_release_channel_configuredkubernetes_cluster_service_account_defaultkubernetes_cluster_shielded_instance_integrity_monitoring_enabledkubernetes_cluster_shielded_node_secure_boot_enabledkubernetes_cluster_shielded_nodes_enabledkubernetes_cluster_use_ip_aliaseskubernetes_cluster_with_less_than_three_node_auto_upgrade_enabledkubernetes_cluster_with_resource_labelskubernetes_cluster_zone_redundantlogging_bucket_retention_policy_enabledlogging_metric_alert_audit_configuration_changeslogging_metric_alert_custom_role_changeslogging_metric_alert_firewall_rule_changeslogging_metric_alert_network_changeslogging_metric_alert_network_route_changeslogging_metric_alert_project_ownership_assignmentlogging_metric_alert_sql_instance_configuration_changeslogging_metric_alert_storage_iam_permission_changeslogging_sink_configured_for_all_resourcemanual_controlorganization_essential_contacts_configuredproject_access_approval_settings_enabledproject_no_api_keyproject_service_cloudasset_api_enabledproject_service_container_scanning_api_enabledsql_instance_automated_backups_enabledsql_instance_mysql_binary_log_enabledsql_instance_mysql_local_infile_database_flag_offsql_instance_mysql_skip_show_database_flag_onsql_instance_not_open_to_internetsql_instance_not_publicly_accessiblesql_instance_postgresql_cloudsql_pgaudit_database_flag_enabledsql_instance_postgresql_log_checkpoints_database_flag_onsql_instance_postgresql_log_connections_database_flag_onsql_instance_postgresql_log_disconnections_database_flag_onsql_instance_postgresql_log_duration_database_flag_onsql_instance_postgresql_log_error_verbosity_database_flag_default_or_strictersql_instance_postgresql_log_executor_stats_database_flag_offsql_instance_postgresql_log_hostname_database_flag_configuredsql_instance_postgresql_log_lock_waits_database_flag_onsql_instance_postgresql_log_min_duration_statement_database_flag_disabledsql_instance_postgresql_log_min_error_statement_database_flag_configuredsql_instance_postgresql_log_min_messages_database_flag_errorsql_instance_postgresql_log_parser_stats_database_flag_offsql_instance_postgresql_log_planner_stats_database_flag_offsql_instance_postgresql_log_statement_database_flag_ddlsql_instance_postgresql_log_statement_stats_database_flag_offsql_instance_postgresql_log_temp_files_database_flag_0sql_instance_require_ssl_enabledsql_instance_sql_3625_trace_database_flag_offsql_instance_sql_3625_trace_database_flag_onsql_instance_sql_contained_database_authentication_database_flag_offsql_instance_sql_cross_db_ownership_chaining_database_flag_offsql_instance_sql_external_scripts_enabled_database_flag_offsql_instance_sql_remote_access_database_flag_offsql_instance_sql_user_connections_database_flag_configuredsql_instance_sql_user_options_database_flag_not_configuredsql_instance_with_labelssql_instance_with_no_public_ipsstorage_bucket_bucket_policy_only_enabledstorage_bucket_log_retention_policy_enabledstorage_bucket_log_retention_policy_lock_enabledstorage_bucket_not_publicly_accessiblestorage_bucket_uniform_access_enabled
Query: audit_logging_configured_for_all_service
Usage
powerpipe query gcp_compliance.query.audit_logging_configured_for_all_serviceSteampipe Tables
SQL
with default_audit_configs as ( select * from ( select service, string_agg(log ->> 'logType', ', ') log_types, string_agg(log ->> 'exemptedMembers', ', ') exempted_user, _ctx, project from gcp_audit_policy, jsonb_array_elements(audit_log_configs) as log group by service, project, _ctx ) logs where log_types like '%DATA_WRITE%' and log_types like '%DATA_READ%' and log_types like '%ADMIN_READ%' and service = 'allServices')select default_audit_configs.service resource, case when default_audit_configs.exempted_user is null then 'ok' else 'alarm' end as status, case when default_audit_configs.exempted_user is null then 'Audit logging properly configured across all services and no exempted users associated.' else 'Audit logging not configured as per CIS requirement or default audit setting having exempted user.' end as reason, default_audit_configs.project as projectfrom default_audit_configs;Controls
The query is being used by the following controls:
- Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
- 2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
- 2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
- 2.1 Ensure that Cloud Audit Logging is configured properly
- 2.1 Ensure That Cloud Audit Logging Is Configured Properly