- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
To prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all role/owner
assignments should be monitored. Members (users/service-accounts) with a role assignment that maps to the role/owner
role are project owners. The project owner role includes the following privileges for the projects to which the role belongs:
- All viewer permissions on all GCP services within the project.
- Permissions for actions that modify the state of all GCP services within
the project.
- Manage roles and permissions for a project and all resources within the
project.
- Project billing setup.
Granting the owner role to a member (user/service-account) will enable that user to modify the Identity and Access Management (IAM) policy. Because the IAM policy contains sensitive access control data, the owner role should be restricted to users that require access to manage the policy. Having a minimal set of users allowed to manage the IAM policy will simplify any auditing that may be necessary.
To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerts sent to stakeholders when the following actions occur:
- A project ownership invite is sent.
- A use accepts or rejects a project ownership invite.
- `role\Owner` is added to a user/service-account.
- A user/Service account is removed from `role\Owner`.
If you enable logging, your project may be charged for additional logs usage.
(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
Units
to 1
(default) and the Type
to Counter
. This ensures that the log metric counts the
number of log entries matching the advanced logs query.zero(0)
for the most recent value will ensure that a notification is
triggered for every owner change in the project:Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
To create a prescribed log metric, run the following command:
gcloud beta logging metrics create
To create a prescribed alert policy, run the following command:
gcloud alpha monitoring policies create
SetIAMPolicy
to role/owner
as this action is directly performed on service accounts.