--- title: >- A log metric filter and alert should exist for project ownership assignments/changes description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > OOTB Rules > A log metric filter and alert should exist for project ownership assignments/changes --- # A log metric filter and alert should exist for project ownership assignments/changes ## Description{% #description %} To prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all `role/owner` assignments should be monitored. Members (users/service-accounts) with a role assignment that maps to the `role/owner` role are project owners. The project owner role includes the following privileges for the projects to which the role belongs: ``` - All viewer permissions on all GCP services within the project. - Permissions for actions that modify the state of all GCP services within the project. - Manage roles and permissions for a project and all resources within the project. - Project billing setup. ``` Granting the owner role to a member (user/service-account) will enable that user to modify the Identity and Access Management (IAM) policy. Because the IAM policy contains sensitive access control data, the owner role should be restricted to users that require access to manage the policy. Having a minimal set of users allowed to manage the IAM policy will simplify any auditing that may be necessary. ## Rationale{% #rationale %} To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerts sent to stakeholders when the following actions occur: ``` - A project ownership invite is sent. - A use accepts or rejects a project ownership invite. - `role\Owner` is added to a user/service-account. - A user/Service account is removed from `role\Owner`. ``` ### Impact{% #impact %} If you enable logging, your project may be charged for additional logs usage. ## Remediation{% #remediation %} ### From the console{% #from-the-console %} #### Create the prescribed log metric{% #create-the-prescribed-log-metric %} 1. On the [Log-based Metrics page](https://console.cloud.google.com/logs/metrics), click **CREATE METRIC**. 1. Click the arrow to the right of the search-filter box and select **Convert to Advanced Filter**. 1. Replace any existing text with the following: ```gdscript3 (protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") ``` 1. Click **Submit Filter** to update the logs displayed on the page. 1. In the **Metric Editor**, fill out the name field. Set `Units` to `1` (default) and the `Type` to `Counter`. This ensures that the log metric counts the number of log entries matching the advanced logs query. 1. Click **Create Metric**. #### Create a prescribed alert policy{% #create-a-prescribed-alert-policy %} 1. Locate the newly created metric under the section **User-defined Metrics**. 1. Click the vertical ellipsis and select **Create alert from Metric**. 1. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold and configuration that makes sense for the user's organization, for example, a threshold of `zero(0)` for the most recent value will ensure that a notification is triggered for every owner change in the project: ```mysql Set `Aggregator` to `Count` Set `Configuration`: - Condition: above - Threshold: 0 - For: most recent value ``` 1. Configure the desired notifications channels in the **Notifications** section. 1. Name the policy and click **Save**. ### From the command line{% #from-the-command-line %} #### Create a prescribed log metric{% #create-a-prescribed-log-metric %} To create a [prescribed log metric](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create), run the following command: `gcloud beta logging metrics create` #### Create a prescribed alert policy{% #create-a-prescribed-alert-policy-1 %} To create a [prescribed alert policy](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create), run the following command: `gcloud alpha monitoring policies create` ## References{% #references %} 1. [https://cloud.google.com/logging/docs/logs-based-metrics/](https://cloud.google.com/logging/docs/logs-based-metrics/) 1. [https://cloud.google.com/monitoring/custom-metrics/](https://cloud.google.com/monitoring/custom-metrics/) 1. [https://cloud.google.com/monitoring/alerts/](https://cloud.google.com/monitoring/alerts/) 1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging](https://cloud.google.com/logging/docs/reference/tools/gcloud-logging) ## Additional Information{% #additional-information %} 1. Project ownership assignments for a user cannot be done using the gcloud utility as assigning project ownership requires sending an invitation to the user, which the user must then accept. 1. Invites are not sent for `SetIAMPolicy` to `role/owner` as this action is directly performed on service accounts.