SQL statements of GCP PostgreSQL are not logged
Description
This policy (CKV_GCP_111) pertains to logging practices in Google Cloud Platform's (GCP) PostgreSQL. It ensures that SQL statements are being logged. Logging SQL statements is beneficial because it helps tracks all the actions and queries performed on a database server. From a security viewpoint, logging SQL statements is critical to detect and investigate suspicious database activity, reduce risk of data loss, and gather forensic evidence in case of a data breach. If SQL statements are not logged, an organization may miss crucial data and alerts about potential security threats or operational issues.
Code Example
resource "google_sql_database_instance" "default" {
name = "database"
region = "us-central1"
database_version = "POSTGRES_11"
settings {
...
database_flags {
name = "log_statement"
value = "all"
}
...
}
}Remediation
Terraform
- Resource: google_sql_database_instance
To fix this issue, you should enable the SQL logging for your GCP PostgreSQL database. Modify your `google_sql_database_instance` resource in the following way:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0969 |
| Severity | MEDIUM |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_111 |