A log metric filter and alert should exist for project ownership assignments/changes

Description

To prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all role/owner assignments should be monitored. Members (users/service-accounts) with a role assignment that maps to the role/owner role are project owners. The project owner role includes the following privileges for the projects to which the role belongs:

- All viewer permissions on all GCP services within the project.
- Permissions for actions that modify the state of all GCP services within
the project.
- Manage roles and permissions for a project and all resources within the
project.
- Project billing setup.

Granting the owner role to a member (user/service-account) will enable that user to modify the Identity and Access Management (IAM) policy. Because the IAM policy contains sensitive access control data, the owner role should be restricted to users that require access to manage the policy. Having a minimal set of users allowed to manage the IAM policy will simplify any auditing that may be necessary.

Rationale

To avoid misuse of project resources, the project ownership assignment/change actions mentioned above should be monitored and alerts sent to stakeholders when the following actions occur:

- A project ownership invite is sent.
- A use accepts or rejects a project ownership invite.
- `role\Owner` is added to a user/service-account.
- A user/Service account is removed from `role\Owner`.

Impact

If you enable logging, your project may be charged for additional logs usage.

Remediation

From the console

Create the prescribed log metric

  1. On the Log-based Metrics page, click CREATE METRIC.
  2. Click the arrow to the right of the search-filter box and select Convert to Advanced Filter.
  3. Replace any existing text with the following:
    (protoPayload.serviceName="cloudresourcemanager.googleapis.com")
    AND (ProjectOwnership OR projectOwnerInvitee)
    OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
    OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
    
  4. Click Submit Filter to update the logs displayed on the page.
  5. In the Metric Editor, fill out the name field. Set Units to 1 (default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
  6. Click Create Metric.

Create a prescribed alert policy

  1. Locate the newly created metric under the section User-defined Metrics.
  2. Click the vertical ellipsis and select Create alert from Metric.
  3. Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user’s organization, for example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
    Set `Aggregator` to `Count`
    Set `Configuration`:
    - Condition: above
    - Threshold: 0
    - For: most recent value
    
  4. Configure the desired notifications channels in the Notifications section.
  5. Name the policy and click Save.

From the command line

Create a prescribed log metric

To create a prescribed log metric, run the following command: gcloud beta logging metrics create

Create a prescribed alert policy

To create a prescribed alert policy, run the following command: gcloud alpha monitoring policies create

References

  1. https://cloud.google.com/logging/docs/logs-based-metrics/
  2. https://cloud.google.com/monitoring/custom-metrics/
  3. https://cloud.google.com/monitoring/alerts/
  4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging

Additional Information

  1. Project ownership assignments for a user cannot be done using the gcloud utility as assigning project ownership requires sending an invitation to the user, which the user must then accept.
  2. Invites are not sent for SetIAMPolicy to role/owner as this action is directly performed on service accounts.