GCP project has Cloud Audit Logs configured to capture administrative operations and data access events for services and principals (per IAM Audit Logs, including ADMIN_READ, DATA_READ, DATA_WRITE).
Risk
Absent or partial audit logging reduces visibility into who accessed data or changed configurations, hindering detection and forensics.
Misused identities can alter IAM to persist access, exfiltrate data, or delete resources, impacting confidentiality, integrity, and availability.
prowler gcp --checks iam_audit_logs_enabled
Recommendation
Enable comprehensive Cloud Audit Logs for all services and principals, including ADMIN_READ, DATA_READ, DATA_WRITE. Avoid exemptions. Set org/folder defaults, centralize and retain logs, enforce least privilege on log access, protect logs from alteration, and alert on anomalous access.
Remediation
- In the Google Cloud console, go to IAM & Admin > Audit Logs
- Click Set default configuration
- Under Permission types, check Admin Read, Data Read, and Data Write
- Click Save
Source Code
Resource Type
cloudresourcemanager.googleapis.com/Project