Logging metric filter and alert for project ownership assignments/changes should be configured¶
Custom roles are derived from predefined roles that give granular access to specific Google resources. A metric filter and alarm should be established when a predefined role is customized to help identify any over-privileged role. Monitoring role creation, deletion, and update activities help in identifying any over-privileged role at early stages.
Google Cloud Console¶
This is a two-part process. First, you create the log metric. Next, you create an alert policy.
Step 1: Make sure the log metric is present:
Navigate to Log-based Metrics and click CREATE METRIC.
Ensure Metric Type is set to Counter.
Under Details, enter a name and description, and set Units to 1.
Under Filter selection, clear any text in the Build filter box and enter the following:
resource.type="iam_role" AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")
Click Create Metric.
Step 2: To create the alert policy:
Navigate to Logs-based Metrics and identify the newly created metric under the section User-defined Metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric.
Set Aggregator to Count and set the desired time period.
Under Configuration, choose the alerting threshold and configuration that makes sense for your organization. For example, a threshold of zero (0) for the most recent value ensures that a notification is triggered for every owner change in the project:
Set `Configuration`: - Condition: above - Threshold: 0 - For: most recent value
Configure the desired notifications channels in the section Notifications.
Name the policy and click Save.