IAM default audit log config should not exempt any users


A project’s default audit log config should not exempt any users, to ensure that user admin write operations and data access operations are appropriately logged.

Remediation Steps

Google Cloud Console

  • Navigate to Audit Logs.

  • Click on Set Default Configuration at the top of the page.

  • In the Exempted Users tab, hover over a user name and select the trash icon that appears.

  • Once the user’s name is shown in strikethrough text, click Save.

gcloud CLI

  • Run the following command to read the project’s IAM policy:

    • gcloud projects get-iam-policy PROJECT_ID > /tmp/project_policy.yaml

  • Alternatively, the policy can be set at the organization or folder level. If setting the policy at the organization level, it is not necessary to also set it for each folder or project.

gcloud organizations get-iam-policy ORGANIZATION_ID > /tmp/org_policy.yaml
gcloud resource-manager folders get-iam-policy FOLDER_ID > /tmp/folder_policy.yaml
  • Edit policy in /tmp/policy.yaml and remove exemptedMembers if set.

  • To write new IAM policy run the following command:

gcloud organizations set-iam-policy ORGANIZATION_ID /tmp/org_policy.yaml
gcloud resource-manager folders set-iam-policy FOLDER_ID /tmp/folder_policy.yaml
gcloud projects set-iam-policy PROJECT_ID /tmp/project_policy.yaml