Log levels of the GCP PostgreSQL database are not set to ERROR or lower
Description
This policy is checking for the log levels of a Google Cloud Platform (GCP) PostgreSQL database. It makes sure that these log levels are set to ERROR or lower.
Why is this important? In short, it's about maintaining the appropriate level of security and managing the efficiency of your log management.
If log levels are set too high, you might capture too much unnecessary information, which can create a lot of noise in your logs, making it harder to identify serious issues. On the other hand, it can also lead to increased costs, as a larger volume of data requires more storage and computational power to analyze.
Setting the log level to ERROR or lower ensures that log captures focus mainly on error events or those of higher significance. This way, troubleshooting becomes more efficient, it's easier to identify and rectify problematic issues, and unnecessary expenditure on data analysis can be reduced. Therefore, not adhering to this policy can lead to inefficient resource management and difficulty in identifying critical database issues.
Code Example
resource "google_sql_database_instance" "default" {
settings {
database_flags {
name = "log_min_messages"
value = "ERROR"
}
}
}Remediation
Terraform
- Resource: google_sql_database_instance
To fix the issue:
You need to set the logging level for your GCP PostgreSQL database to 'ERROR' or lower. This can be done in your Terraform code by setting the `log_min_messages` parameter to ERROR.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0967 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_109 |