π§ Google Cloud Audit Logging is not configured properly - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml - Located in: π Google Cloud Audit Logging is not configured properly π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π Google Project | CA10__CaGoogleProject__c | 2 | 1 | 16 |
Usesβ
- π Google IAM Policy Audit Config - object.extracts.yaml
- π Google IAM Policy Audit Log Config - object.extracts.yaml
- π Google Project - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2025-04-24T23:47:07.461289223Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | a4p1 | βοΈ 199 | βοΈ CA10__Google_Resource_Manager_Projects__r.has(COMPLIANT) | βοΈ null |
| π’ | a4p2 | βοΈ 199 | βοΈ CA10__Google_Resource_Manager_Projects__r.has(COMPLIANT) | βοΈ null |
| π’ | a4p3 | βοΈ 199 | βοΈ CA10__Google_Resource_Manager_Projects__r.has(COMPLIANT) | βοΈ null |
| π’ | a4p3IN | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | a4p3IN2 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | a4p3IN3 | βοΈ 200 | βοΈ otherwise | βοΈ null |
| π’ | a4p3IN4 | βοΈ 200 | βοΈ otherwise | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/google/logging/audit-logging-configuration/policy.yaml | E55CD7A05B0A5527B600AD75893A83B9 |
| Open | /ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml | 764353DED76D44977BC681241C2EC41A |
| Open | /ce/ca/google/logging/audit-logging-configuration/test-data.json | 30885C3FD59875830B95D5779DDAD77C |
| Open | /types/CA10__CaGoogleIamPolicyAuditConfig__c/object.extracts.yaml | C0AFDAABBCA4E60A368C5953D05809DF |
| Open | /types/CA10__CaGoogleIamPolicyAuditLogConfig__c/object.extracts.yaml | 48FDC97ADBDBBB58265E84134754A471 |
| Open | /types/CA10__CaGoogleProject__c/object.extracts.yaml | 8EB422663BF4493D44ABA5FEC0FB9AD4 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/google/logging/audit-logging-configuration/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaGoogleProject__c"
testData:
- file: test-data.json
importExtracts:
- file: /types/CA10__CaGoogleProject__c/object.extracts.yaml
conditions:
- status: "COMPLIANT"
currentStateMessage: "Cloud Audit Logging is configured to track all admin activities and read, write access to user data."
check:
RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__Google_Resource_Manager_Projects__r"
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "Cloud Audit Logging is not configured to track all admin activities and read, write access to user data."
remediationMessage: "Configure Cloud Audit Logging to track all admin activities and read, write access to user data."
relatedLists:
- relationshipName: "CA10__Google_Resource_Manager_Projects__r"
importExtracts:
- file: /types/CA10__CaGoogleIamPolicyAuditConfig__c/object.extracts.yaml
- file: /types/CA10__CaGoogleIamPolicyAuditLogConfig__c/object.extracts.yaml
conditions:
- status: "COMPLIANT"
currentStateMessage: "Cloud Audit Logging is configured to track all admin activities and read, write access to user data."
check:
OR:
args:
- RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__Google_IAM_Policy_Audit_Configs__r"
- RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__resourceManagerFolder__r.CA10__Google_IAM_Policy_Audit_Configs__r"
- RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__resourceManagerOrganization__r.CA10__Google_IAM_Policy_Audit_Configs__r"
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "Resource Manager Project is not configured to track all admin activities and read, write access to user data."
relatedLists:
# PROJECT level
- relationshipName: "CA10__Google_IAM_Policy_Audit_Configs__r"
recordTypes:
- "caGoogleIamPolicyAuditConfigProject"
conditions:
- status: "COMPLIANT"
currentStateMessage: "Project Audit Config is configured to track all admin activities and read, write access to user data."
check:
AND:
args:
- IS_EQUAL:
left:
RELATED_LIST_COUNT:
status: "COMPLIANT"
relationshipName: "CA10__Google_IAM_Policy_Audit_Log_Config1__r"
right:
NUMBER: 2.0
- IS_EMPTY:
arg:
EXTRACT: "CA10__exemptedMembers__c" # Audit_Configs
- IS_EQUAL:
left:
EXTRACT: "CA10__service__c"
right:
TEXT: "allServices"
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "Project Audit Config is not configured to track all admin activities and read, write access to user data."
relatedLists:
- relationshipName: "CA10__Google_IAM_Policy_Audit_Log_Config1__r"
conditions:
- status: "COMPLIANT"
currentStateMessage: "COMPLIANT Audit Log Configs"
check:
AND:
args:
- OR:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10__logType__c"
right:
TEXT: "DATA_WRITE"
- IS_EQUAL:
left:
EXTRACT: "CA10__logType__c"
right:
TEXT: "DATA_READ"
- IS_EMPTY:
arg:
EXTRACT: "CA10__exemptedMembers__c" # Audit_Log_Config
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "INCOMPLIANT Audit Log Configs"
# FOLDER level
- relationshipName: "CA10__resourceManagerFolder__r.CA10__Google_IAM_Policy_Audit_Configs__r"
recordTypes:
- "caGoogleIamPolicyAuditConfigFolder"
conditions:
- status: "COMPLIANT"
currentStateMessage: "Folder Audit Config is configured to track all admin activities and read, write access to user data."
check:
AND:
args:
- IS_EQUAL:
left:
RELATED_LIST_COUNT:
status: "COMPLIANT"
relationshipName: "CA10__Google_IAM_Policy_Audit_Log_Config1__r"
right:
NUMBER: 2.0
- IS_EMPTY:
arg:
EXTRACT: "CA10__exemptedMembers__c" # Audit_Configs
- IS_EQUAL:
left:
EXTRACT: "CA10__service__c"
right:
TEXT: "allServices"
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "Folder Audit Config is not configured to track all admin activities and read, write access to user data."
relatedLists:
- relationshipName: "CA10__Google_IAM_Policy_Audit_Log_Config1__r"
conditions:
- status: "COMPLIANT"
currentStateMessage: "COMPLIANT Audit Log Configs"
check:
AND:
args:
- OR:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10__logType__c"
right:
TEXT: "DATA_WRITE"
- IS_EQUAL:
left:
EXTRACT: "CA10__logType__c"
right:
TEXT: "DATA_READ"
- IS_EMPTY:
arg:
EXTRACT: "CA10__exemptedMembers__c" # Audit_Log_Config
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "INCOMPLIANT Audit Log Configs"
# ORG level
- relationshipName: "CA10__resourceManagerOrganization__r.CA10__Google_IAM_Policy_Audit_Configs__r"
recordTypes:
- "caGoogleIamPolicyAuditConfigOrganization"
conditions:
- status: "COMPLIANT"
currentStateMessage: "Organization Audit Config is configured to track all admin activities and read, write access to user data."
check:
AND:
args:
- IS_EQUAL:
left:
RELATED_LIST_COUNT:
status: "COMPLIANT"
relationshipName: "CA10__Google_IAM_Policy_Audit_Log_Config1__r"
right:
NUMBER: 2.0
- IS_EMPTY:
arg:
EXTRACT: "CA10__exemptedMembers__c" # Audit_Configs
- IS_EQUAL:
left:
EXTRACT: "CA10__service__c"
right:
TEXT: "allServices"
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "Organization Audit Config is not configured to track all admin activities and read, write access to user data."
relatedLists:
- relationshipName: "CA10__Google_IAM_Policy_Audit_Log_Config1__r"
conditions:
- status: "COMPLIANT"
currentStateMessage: "COMPLIANT Audit Log Configs"
check:
AND:
args:
- OR:
args:
- IS_EQUAL:
left:
EXTRACT: "CA10__logType__c"
right:
TEXT: "DATA_WRITE"
- IS_EQUAL:
left:
EXTRACT: "CA10__logType__c"
right:
TEXT: "DATA_READ"
- IS_EMPTY:
arg:
EXTRACT: "CA10__exemptedMembers__c" # Audit_Log_Config
otherwise:
status: "INCOMPLIANT"
currentStateMessage: "INCOMPLIANT Audit Log Configs"