terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Ensure bucket logs access.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: gcp-cloud-storage-logging
    patterns:
      - pattern: |
          resource "google_storage_bucket" $ANYTHING {
            ...
          }
      - pattern-not-inside: |
          resource "google_storage_bucket" $ANYTHING {
            ...
            logging {
                log_bucket = ...
            }          
            ...
          }
    message: Ensure bucket logs access.
    languages:
      - hcl
    severity: WARNING
    metadata:
      owasp:
        - A10:2017 - Insufficient Logging & Monitoring
        - A09:2021 - Security Logging and Monitoring Failures
      cwe:
        - "CWE-778: Insufficient Logging"
      technology:
        - terraform
        - gcp
      category: security
      references:
        - https://docs.bridgecrew.io/docs/google-cloud-policy-index
      subcategory:
        - vuln
      likelihood: LOW
      impact: LOW
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Insufficient Logging

Examples

gcp-cloud-storage-logging.tf

# fail
# ruleid: gcp-cloud-storage-logging
resource "google_storage_bucket" "fail" {
    name     = "jgwloggingbucket"
    location = var.location
    uniform_bucket_level_access = true
}

# ok: gcp-cloud-storage-logging
resource "google_storage_bucket" "success" {
    name     = "jgwloggingbucket"
    location = var.location
    uniform_bucket_level_access = true
    logging {
        log_bucket = "mylovelybucket"
    }
}