Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add audit log alerts for each _iam_binding #81

Open
mattmoor opened this issue Jan 24, 2024 · 1 comment
Open

Add audit log alerts for each _iam_binding #81

mattmoor opened this issue Jan 24, 2024 · 1 comment

Comments

@mattmoor
Copy link
Member

The basic idea here is that we use _iam_binding in places where we believe a resource is an implementation detail of a particular module, and therefore the module has complete information about how that resource should be accessed (thus the use of _iam_binding vs. _iam_member).

Build on this idea, we can actually add alert policies for each of these resources to detect and flag anomalous usage. As a proof-of-concept, I added one here (sorry, private repo): https://github.com/chainguard-dev/octo-sts/blob/c737ecae7dd57c2fc340f51bf6aa9e95adfbdd20/iac/main.tf#L124-L176

We should audit this repo for uses of _iam_binding (or cases that should be!) and add audit log alerting to each.
@mattmoor
Copy link
Member Author

Note: Pub/Sub does not currently write Data Access audit logs for message operations, such as Publish, Subscribe, and Acknowledge.

For Pub/Sub it looks like we can't do much here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mattmoor