GCP PostgreSQL instance database flag log_statement_stats is not set to off
Description
This policy is examining whether the 'log_statement_stats' flag for PostgreSQL databases is set to 'off'. The 'log_statement_stats' setting controls whether detailed statistics on each statement that is executed are included in the server's logs. If it is set to 'on', this would generate a lot of log output, especially for systems executing complex operations, which can easily fill up the storage media, affect database performance, and make the logs difficult to read. Moreover, the information collected by the 'log_statement_stats' could potentially contain sensitive data, thus posing a data exposure risk. Hence, it's recommended to set it to 'off' by default and only enable it temporarily when needed for debugging.
Code Example
resource "google_sql_database_instance" "default" {
name = "default"
database_version = "POSTGRES_9_6"
region = "us-central1"
settings {
database_flags {
name = "log_statement_stats"
value = "off"
}
}
}Remediation
Terraform
- Resource: google_sql_database_instance
- Arguments: settings.database_flags
To fix this issue, you need to ensure that the PostgreSQL database flag 'log_statement_stats' is set to 'off'. This can be achieved by including the flag in the settings of the managed PostgreSQL database instance like this:
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1002 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_17 |