feat(query): implements "Beta - Logs And Alerts Missing Custom Role Changes" - Terraform/gcp

[cx-andre-pereira]

Reason for Proposed Changes

• Currently there are no queries addressing the Terraform/gcp "google_logging_metric" and "google_monitoring_alert_policy" resources's "filter" fields. This query is meant to ensure those resources's filters properly check for changes to Identity
  and Access Management (IAM) role creation, deletion and updating activities.

• Quoting CIS_Google_Cloud_Platform_Foundation_Benchmark_v4.0.0 page 90: "Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any over- privileged role at early stages."

• Additionally page 90 states the specific filter that should be present :

resource.type="iam_role"
AND (protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR protoPayload.methodName="google.iam.admin.v1.UpdateRole"
OR protoPayload.methodName="google.iam.admin.v1.UndeleteRole")

Proposed Changes

• Developed an initial implementation for a query that ensures "Custom Role Changes" are accounted for by a given filter.

• Initial implementations for this query had a more complex interpretation logic for the specific logging query language used, but that has been simplified to a regex that accepts only the specific filter with some freedom for spacing wherever possible (regex), sample negative2.tf specifically tests for "unusual" spacing.

• Based on the audit described by the CIS entry the query will flag if :

  • There is at least one"google_logging_metric" resource in the project and none contain the correct filter
  • There is at least one "google_monitoring_alert_policy" resource in the project and none contain the filter/reference a logging metric that contains the correct filter
  • There is at least one "google_monitoring_alert_policy" resource that contains the filter but none of them declare "notification_channels".

Note: there are currently issues with the search values, i could not get them to point to the "filter" field for either of the target resources in the scan results.

Tenable Reference

I submit this contribution under the Apache-2.0 license.

[github-actions]

KICS version: v2.1.13

Category Results CRITICAL 0 HIGH 0 MEDIUM 0 LOW 0 INFO 0 TRACE 0 TOTAL 0	Metric Values Files scanned 1 Files parsed 1 Files failed to scan 0 Total executed queries 47 Queries failed to execute 0 Execution time 0