Table: gcp_audit_policy - Query Google Cloud Platform Audit Policies using SQL
Google Cloud Audit Logs is a feature that maintains three audit logs for each Google Cloud project, folder, and organization: Admin Activity, Data Access, and System Event. These logs can be used to help you answer the question of "who did what, where, and when?" within your Google Cloud environment. Audit logs are critical for incident response, forensics, and establishing regulatory and compliance controls.
Table Usage Guide
The gcp_audit_policy table provides insights into audit policies within Google Cloud Platform. As a security analyst, explore policy-specific details through this table, including policy settings, service conditions, and associated metadata. Utilize it to uncover information about policies, such as those with specific service conditions, the identity of the creator and the verification of policy settings.
Examples
Basic info
Determine the areas in which different types of logs are created by analyzing the audit policies within the Google Cloud Platform. This is useful for managing and understanding the audit trails in your environment.
select service, jsonb_array_elements(audit_log_configs) ->> 'logType' as log_typefrom gcp_audit_policy;select service, json_extract(audit_log_configs, '$.logType') as log_typefrom gcp_audit_policy, json_each(audit_log_configs);List of services which has data write access
Determine the areas in which certain services have data write access. This is useful for understanding potential security risks and ensuring only appropriate services have this level of access.
select service, log_type ->> 'logType' as log_typefrom gcp_audit_policy, jsonb_array_elements(audit_log_configs) as log_typewhere log_type ->> 'logType' = 'DATA_WRITE';select service, json_extract(log_type.value, '$.logType') as log_typefrom gcp_audit_policy, json_each(audit_log_configs) as log_typewhere json_extract(log_type.value, '$.logType') = 'DATA_WRITE';Control examples
- CIS v1.2.0 > 2 Logging and Monitoring > 2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
- CIS v1.3.0 > 2 Logging and Monitoring > 2.1 Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
- CIS v2.0.0 > 2 Logging and Monitoring > 2.1 Ensure that Cloud Audit Logging is configured properly
- CIS v3.0.0 > 2 Logging and Monitoring > 2.1 Ensure That Cloud Audit Logging Is Configured Properly
- Ensure that Cloud Audit Logging is configured properly across all services and all users from a project
Schema for gcp_audit_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
| audit_log_configs | jsonb | The configuration for logging of each type of permission | |
| location | text | The GCP multi-region, region, or zone in which the resource is located. | |
| project | text | =, !=, ~~, ~~*, !~~, !~~* | The GCP Project in which the resource is located. |
| service | text | Specifies a service that will be enabled for audit logging | |
| sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
| sp_ctx | jsonb | Steampipe context in JSON form. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcpYou can pass the configuration to the command with the --config argument:
steampipe_export_gcp --config '<your_config>' gcp_audit_policy