Control: Compute Instances should restrict disrupt logging permission
Description
This control ensures that Compute Instance does not disrupt logging permissions.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.compute_instance_no_disrupt_logging_permissionSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.compute_instance_no_disrupt_logging_permission --shareSQL
This control uses a named query:
with role_with_disrupt_logging_permission as ( select distinct name, project from gcp_iam_role, jsonb_array_elements_text(included_permissions) as p where not is_gcp_managed and p in ('logging.buckets.delete', 'logging.buckets.update', 'logging.logMetrics.delete', 'logging.logMetrics.update', 'logging.logs.delete', 'logging.sinks.delete', 'logging.sinks.update') ), policy_with_disrupt_logging_permission as ( select distinct entity, project from gcp_iam_policy, jsonb_array_elements(bindings) as p, jsonb_array_elements_text(p -> 'members') as entity where p ->> 'role' in ('roles/logging.bucketWriter', 'roles/logging.configWriter', 'roles/logging.admin') or p ->> 'role' in (select name from role_with_disrupt_logging_permission)), compute_instance_with_disrupt_logging_service_permission as ( select distinct self_link from gcp_compute_instance as i, jsonb_array_elements(service_accounts) as e left join policy_with_disrupt_logging_permission as b on b.entity = concat('serviceAccount:' || (e ->> 'email')) where b.entity is not null)select i.self_link as resource, case when p.self_link is not null then 'alarm' else 'ok' end as status, case when p.self_link is not null then i.title || ' allow disrupt logging permission.' else i.title || ' restrict disrupt logging permission.' end as reason , location as location, project as projectfrom gcp_compute_instance as i left join compute_instance_with_disrupt_logging_service_permission as p on p.self_link = i.self_link;