Logging metric filter and alert for project ownership assignments/changes should be configured


Project ownership has the highest level of privileges on a project. Users should only be granted the owner role if they have a legitimate purpose to manage the project’s IAM policy because it contains sensitive access control data. All ownership assignments and changes should therefore be monitored.

Remediation Steps

Google Cloud Console

This is a two-part process. First, you create the log metric. Next, you create an alert policy.

Step 1: Make sure the log metric is present:

  • Navigate to Log-based Metrics and click CREATE METRIC.

  • Ensure Metric Type is set to Counter.

  • Under Details, enter a name and description, and set Units to 1.

  • Under Filter selection, clear any text in the Build filter box and enter the following:

    • (protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")

  • Click Create Metric.

Step 2: To create the alert policy:

  • Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.

  • Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric.

  • Set Aggregator to Count and set the desired time period.

  • Under Configuration, choose the alerting threshold and configuration that makes sense for your organization. For example, a threshold of zero (0) for the most recent value ensures that a notification is triggered for every owner change in the project:

Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
  • Click Save.

  • Configure the desired notifications channels in the section Notifications.

  • Name the policy and click Save.

gcloud CLI

  • To create the log metric:

    • gcloud logging metrics create

    • For flags, see Google Cloud’s CLI reference.

  • To create the alert policy:

    • gcloud alpha monitoring policies create

    • For flags, see Google Cloud’s CLI reference.