IAM Audit log is not included in project level CAI data if it's enabled in org level

[xingao267]

I have audit log enabled for all services at org level, but violations are still reported by Forseti in CSCC for a lot of projects and folders. I took a look at the CAI export and it seems the project level (probably folder level as well, but I didn't check), the audit_log_configs block is not present in the exported data, and I guess that's why it causes the forseti to still report violations.

(note this is not the same issue as https://github.com/forseti-security/policy-library/issues/367). This issue might need to be solved in CAI export data or how config validator collect project/folder level audit log information.

[morgante]

I don't think there's a meaningful way for us to solve this.

If you're looking for audit log configs, you should look at both the org and project level configs.

If you think that's unsatisfactory, I'd recommend asking the CAI team about adding a "materialized" asset.

[xingao267]

One thing I can try is change the match target to be

organizatin/12345678/* to organization/12345678 so it will not look at folder or project level audit logs.

[morgante]

Yeah that should work.

[xingao267]

Umm, just tried in my Forseti instance, seems organization/12345678/* is the same as organization/12345678, which also seems match the documentation https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#instantiate-constraints.

@briantkennedy do you think we can support organization/12345678 being the exact match to the ancestry path from CAI, and organization/12345678/* being everything under the org?

[briantkennedy]

Hi @xingao267, I believe the behavior you're requesting is already implemented, but based on the other bug, it looks like you're running a very old version of config validator in your Forseti install. @gkowalski-google will probably be able to assist with determining which version and how to upgrade.

[gkowalski-google]

@xingao267 @briantkennedy Added a comment to this ticket. Until the next release, you can use the main branches of the Terraform module and Forseti app to have the ability to change the CV version.