---
title: >-
  A log metric filter and alert should exist for cloud storage bucket IAM
  changes
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > A log metric filter and alert should
  exist for cloud storage bucket IAM changes
---

# A log metric filter and alert should exist for cloud storage bucket IAM changes
 
## Description{% #description %}

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

## Rationale{% #rationale %}

Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.

### Impact{% #impact %}

Enabling of logging may result in your project being charged for the additional logs usage.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

#### Create the prescribed log metric{% #create-the-prescribed-log-metric %}

1. Go to **Logging** -> **Log-based Metrics** by visiting [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics) and clicking **CREATE METRIC**.

1. Click the down arrow icon on the **Filter Bar** at the top right corner and select **Convert to Advanced Filter**.

1. Clear any text and add:

   ```gdscript3
   resource.type="gcs_bucket"
   AND protoPayload.methodName="storage.setIamPermissions"
   ```

1. Click **Submit Filter**. Display logs appear based on the filter text.

1. In the **Metric Editor** menu on the right, fill out the name field. Set **Units** to `1` (default) and **Type** to `Counter`. This ensures that the log metric counts the number of log entries matching your advanced logs query.

1. Click **Create Metric**.

#### Create the prescribed alert policy{% #create-the-prescribed-alert-policy %}

1. Go to [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics). Under the **User-defined Metrics** section, identify the newly created metric.
1. Click the kebab icon in the rightmost column for the new metric and select **Create alert from Metric**.
1. Fill out the alert policy configuration and click **Save**. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:

```mysql
   Set `Aggregator` to `Count`
   Set `Configuration`:
   - Condition: above
   - Threshold: 0
   - For: most recent value
```
Configure the desired notifications channels in the section **Notifications**.Name the policy and click **Save**.
### From the command line{% #from-the-command-line %}

1. Create the prescribed log metric using the following command:

   ```
   gcloud logging metrics create
   ```

See the [command usage reference](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create) for more information.

1. Create the prescribed alert policy using the following command:

   ```
   gcloud alpha monitoring policies create
   ```

See the [command usage reference](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create) for more information.

## References{% #references %}

1. [https://console.cloud.google.com/logs/metrics](https://console.cloud.google.com/logs/metrics)
1. [https://cloud.google.com/monitoring/custom-metrics/](https://cloud.google.com/monitoring/custom-metrics/)
1. [https://cloud.google.com/monitoring/alerts/](https://cloud.google.com/monitoring/alerts/)
1. [https://cloud.google.com/logging/docs/reference/tools/gcloud-logging](https://cloud.google.com/logging/docs/reference/tools/gcloud-logging)
1. [https://cloud.google.com/storage/docs/overview](https://cloud.google.com/storage/docs/overview)
1. [https://cloud.google.com/storage/docs/access-control/iam-roles](https://cloud.google.com/storage/docs/access-control/iam-roles)
1. [https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create](https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create)
1. [https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create](https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create)