Logging metric filter and alert for project ownership assignments/changes should be configured


Custom roles are derived from predefined roles that give granular access to specific Google resources. A metric filter and alarm should be established when a predefined role is customized to help identify any over-privileged role. Monitoring role creation, deletion, and update activities help in identifying any over-privileged role at early stages.

Remediation Steps

Google Cloud Console

This is a two-part process. First, you create the log metric. Next, you create an alert policy.

Step 1: Make sure the log metric is present:

  • Navigate to Log-based Metrics and click CREATE METRIC.

  • Ensure Metric Type is set to Counter.

  • Under Details, enter a name and description, and set Units to 1.

  • Under Filter selection, clear any text in the Build filter box and enter the following:

    • resource.type="iam_role" AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")

  • Click Create Metric.

Step 2: To create the alert policy:

  • Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.

  • Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric.

  • Set Aggregator to Count and set the desired time period.

  • Under Configuration, choose the alerting threshold and configuration that makes sense for your organization. For example, a threshold of zero (0) for the most recent value ensures that a notification is triggered for every owner change in the project:

Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
  • Click Save.

  • Configure the desired notifications channels in the section Notifications.

  • Name the policy and click Save.

gcloud CLI

  • To create the log metric:

    • gcloud beta logging metrics create

    • For flags, see Google Cloud’s CLI reference.

  • To create the alert policy:

    • gcloud alpha monitoring policies create

    • For flags, see Google Cloud’s CLI reference.