steampipe plugin install gcp

Table: gcp_audit_policy - Query Google Cloud Platform Audit Policies using SQL

Google Cloud Audit Logs is a feature that maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. These logs can be used to help you answer the question of "who did what, where, and when?" within your Google Cloud environment. Audit logs are critical for incident response, forensics, and establishing regulatory and compliance controls.

Table Usage Guide

The gcp_audit_policy table provides insights into audit policies within Google Cloud Platform. As a security analyst, explore policy-specific details through this table, including policy settings, service conditions, and associated metadata. Utilize it to uncover information about policies, such as those with specific service conditions, the identity of the creator and the verification of policy settings.

Examples

Basic info

Determine the areas in which different types of logs are created by analyzing the audit policies within the Google Cloud Platform. This is useful for managing and understanding the audit trails in your environment.

select
service,
jsonb_array_elements(audit_log_configs) ->> 'logType' as log_type
from
gcp_audit_policy;
select
service,
json_extract(audit_log_configs, '$.logType') as log_type
from
gcp_audit_policy,
json_each(audit_log_configs);

List of services which has data write access

Determine the areas in which certain services have data write access. This is useful for understanding potential security risks and ensuring only appropriate services have this level of access.

select
service,
log_type ->> 'logType' as log_type
from
gcp_audit_policy,
jsonb_array_elements(audit_log_configs) as log_type
where
log_type ->> 'logType' = 'DATA_WRITE';
select
service,
json_extract(log_type.value, '$.logType') as log_type
from
gcp_audit_policy,
json_each(audit_log_configs) as log_type
where
json_extract(log_type.value, '$.logType') = 'DATA_WRITE';

Schema for gcp_audit_policy

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
akasjsonbArray of globally unique identifier strings (also known as) for the resource.
audit_log_configsjsonbThe configuration for logging of each type of permission
locationtextThe GCP multi-region, region, or zone in which the resource is located.
projecttext=, !=, ~~, ~~*, !~~, !~~*The GCP Project in which the resource is located.
servicetextSpecifies a service that will be enabled for audit logging
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_audit_policy