pgAudit is disabled for your GCP PostgreSQL database
Description
This policy is verifying that pgAudit is activated for your Google Cloud Platform PostgreSQL database. The pgAudit extension provides detailed session and/or object audit logging via the standard logging facility provided by PostgreSQL. The reason this is important is that it enables tracking of who did what and when in the database, providing valuable information if there's ever a security breach or an unexpected change. Not having this could expose the database to risk as you would lack the ability to conduct a proper investigation or audit.
Code Example
resource "google_sql_database_instance" "default" {
settings {
database_flags {
name = "pgaudit.log"
value = "'all'"
}
}
}Remediation
Terraform
- Resource: google_sql_database_instance
To fix this issue, you need to enable pgAudit for your GCP PostgreSQL database. This can be done by setting the `database_flags` attribute to `pgaudit.log` in the `google_sql_database_instance` resource block to capture the database activities.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0968 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_110 |