--- title: IAM audit not properly configured description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > IAM audit not properly configured --- # IAM audit not properly configured {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-gcp-iam-audit-not-properly-configured` **Provider:** GCP **Platform:** Terraform **Severity:** Low **Category:** Observability #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#google_project_iam_audit_config) ### Description{% #description %} A defective audit logging configuration in Terraform, as defined by the `google_project_iam_audit_config` resource, can lead to incomplete or incorrect logging of critical activities within your cloud environment. For example, omitting required `log_type` values or specifying exempted members, as shown below, allows certain user actions to go unrecorded, potentially bypassing audit trails and hampering incident investigations: ``` resource "google_project_iam_audit_config" "example" { project = "your-project-id" service = "allServices" audit_log_config { log_type = "DATA_READ" exempted_members = ["user:joebloggs@hashicorp.com"] } } ``` Without comprehensive audit logs, organizations may be unable to detect or investigate unauthorized access or changes, increasing the risk of undetected misuse or data breaches. A secure configuration should ensure that all required log types (such as `ADMIN_READ` and `DATA_READ`) are enabled and that no users or accounts are unnecessarily exempted from logging. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform resource "google_project_iam_audit_config" "negative1" { project = "your-project-id" service = "allServices" audit_log_config { log_type = "ADMIN_READ" } audit_log_config { log_type = "DATA_READ" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform resource "google_project_iam_audit_config" "positive1" { project = "your-project-id" service = "some_specific_service" audit_log_config { log_type = "ADMIN_READ" } audit_log_config { log_type = "DATA_READ" exempted_members = [ "user:joebloggs@hashicorp.com" ] } } resource "google_project_iam_audit_config" "positive2" { project = "your-project-id" service = "allServices" audit_log_config { log_type = "INVALID_TYPE" } audit_log_config { log_type = "DATA_READ" exempted_members = [ "user:joebloggs@hashicorp.com" ] } } ```