Control: Ensure that the log metric filter and alerts exist for Custom Role changes
Description
It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Usage
Run the control in your terminal:
powerpipe control run gcp_compliance.control.logging_metric_alert_custom_role_changesSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run gcp_compliance.control.logging_metric_alert_custom_role_changes --shareSQL
This control uses a named query:
with filter_data as ( select m.project as project, display_name alert_name, count(m.name) metric_name from gcp_monitoring_alert_policy, jsonb_array_elements(conditions) as filter_condition join gcp_logging_metric m on m.filter ~ '\s*resource\.type\s*=\s*"iam_role"\s*AND\s*\(\s*protoPayload\.methodName\s*=\s*"google\.iam\.admin\.v1\.CreateRole"\s*OR\s*protoPayload\.methodName\s*=\s*"google\.iam\.admin\.v1\.DeleteRole"\s*OR\s*protoPayload\.methodName\s*=\s*"google\.iam\.admin\.v1\.UpdateRole"\s*\)' and filter_condition -> 'conditionThreshold' ->> 'filter' like '%metric.type="' || m.metric_descriptor_type || '"%' where enabled group by m.project, display_name, m.name)select 'https://cloudresourcemanager.googleapis.com/v1/projects/' || project_id resource, case when d.metric_name > 0 then 'ok' else 'alarm' end as status, case when d.metric_name > 0 then 'Log metric and alert exist for custom role changes.' else 'Log metric and alert do not exist for custom role changes.' end as reason , project_id as projectfrom gcp_project as p left join filter_data as d on d.project = p.name;