Control: 2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes
Description
In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner
assignments should be monitored.
Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner
are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below:
- All viewer permissions on all GCP Services within the project
- Permissions for actions that modify the state of all GCP services within the project
- Manage roles and permissions for a project and all resources within the project
- Set up billing for a project Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore,grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Remediation
From Console
Create the prescribed log metric:
- Go to
Logging/Logs-based Metrics
by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC". - Click the down arrow symbol on the
Filter Bar
at the rightmost corner and selectConvert to Advanced Filter
. - Clear any text and add:
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")AND (ProjectOwnership OR projectOwnerInvitee)OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
- Click
Submit Filter
. The logs display based on the filter text entered by the user. - In the
Metric Editor
menu on the right, fill out the name field. SetUnits
to1
(default) and theType
toCounter
. This ensures that the log metric counts the number of log entries matching the advanced logs query. - Click
Create Metric
.
Create the display prescribed Alert Policy:
- Identify the newly created metric under the section
User-defined Metrics
at https://console.cloud.google.com/logs/metrics. - Click the 3-dot icon in the rightmost column for the desired metric and select
Create alert from Metric
. A new page opens. - Fill out the alert policy configuration and click
Save
. Choosethealertingthreshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`Set `Configuration`:- Condition: above- Threshold: 0- For: most recent value
- Configure the desired notifications channels in the section
Notifications
. - Name the policy and click
Save
.
From Command Line
Create a prescribed Log Metric:
- Use the command: gcloud beta logging metrics create.
- Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create.
Create a prescribed Alert Policy:
- Use the command: gcloud alpha monitoring policies create.
- Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.cis_v200_2_4
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.cis_v200_2_4 --share
SQL
This control uses a named query:
logging_metric_alert_project_ownership_assignment