A log metric filter and alert should exist for project ownership assignments/changes
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Description
To prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all role/owner
assignments should be monitored. Members (users/service-accounts) with a role assignment that maps to the role/owner
role are project owners. The project owner role includes the following privileges for the projects to which the role belongs:
- All viewer permissions on all GCP services within the project.
- Permissions for actions that modify the state of all GCP services within
the project.
- Manage roles and permissions for a project and all resources within the
project.
- Project billing setup.
Granting the owner role to a member (user/service-account) will enable that user to modify the Identity and Access Management (IAM) policy. Because the IAM policy contains sensitive access control data, the owner role should be restricted to users that require access to manage the policy. Having a minimal set of users allowed to manage the IAM policy will simplify any auditing that may be necessary.
Rationale
To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerts sent to stakeholders when the following actions occur:
- A project ownership invite is sent.
- A use accepts or rejects a project ownership invite.
- `role\Owner` is added to a user/service-account.
- A user/Service account is removed from `role\Owner`.
Impact
If you enable logging, your project may be charged for additional logs usage.
From the console
Create the prescribed log metric
- On the Log-based Metrics page, click CREATE METRIC.
- Click the arrow to the right of the search-filter box and select Convert to Advanced Filter.
- Replace any existing text with the following:
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
- Click Submit Filter to update the logs displayed on the page.
- In the Metric Editor, fill out the name field. Set
Units
to 1
(default) and the Type
to Counter
. This ensures that the log metric counts the
number of log entries matching the advanced logs query. - Click Create Metric.
Create a prescribed alert policy
- Locate the newly created metric under the section User-defined Metrics.
- Click the vertical ellipsis and select Create alert from Metric.
- Fill out the alert policy configuration and click Save. Choose the alerting threshold
and configuration that makes sense for the user’s organization, for example, a
threshold of
zero(0)
for the most recent value will ensure that a notification is
triggered for every owner change in the project:Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
- Configure the desired notifications channels in the Notifications section.
- Name the policy and click Save.
From the command line
Create a prescribed log metric
To create a prescribed log metric, run the following command:
gcloud beta logging metrics create
Create a prescribed alert policy
To create a prescribed alert policy, run the following command:
gcloud alpha monitoring policies create
References
- https://cloud.google.com/logging/docs/logs-based-metrics/
- https://cloud.google.com/monitoring/custom-metrics/
- https://cloud.google.com/monitoring/alerts/
- https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
- Project ownership assignments for a user cannot be done using the gcloud utility as assigning project ownership requires sending an invitation to the user, which the user must then accept.
- Invites are not sent for
SetIAMPolicy
to role/owner
as this action is directly performed on service accounts.