Ensure security alert policies are enabled and notify responders

Google Cloud Remediation

Service-wide fix (recommended): define a standard alerting pack for security-relevant logs and manage the policies from code so they stay enabled and wired to the right notification channels.

When to use service-wide remediation

Use the service-wide path when multiple projects use the same security alerting baseline.

Google Cloud console

1. Open Monitoring -> Alerting.
2. Edit the affected policy.
3. Make sure the policy is Enabled.
4. Add one or more notification channels such as email, PagerDuty, Pub/Sub, or Webhook.
5. If the alert is based on logs, make sure the required logs-based metric exists and still receives data.

Google Cloud CLI

Create or update the logs-based metric used by the alert:

gcloud logging metrics create <metric-name> \
  --description="Security event counter" \
  --log-filter='<filter>'

Create a policy from a JSON or YAML definition:

gcloud monitoring policies create --policy-from-file=<policy-file>.json

Validate the policy state:

gcloud monitoring policies list --format='table(name,displayName,enabled)'

Operational notes

• This control checks whether policies are enabled and have notification channels. It does not verify that you created every policy your organization might want.
• Prefer code-managed alert policies for shared environments so a local UI change does not silently disable a critical notification path.

References

• https://cloud.google.com/monitoring/alerts
• https://docs.cloud.google.com/monitoring/alerts/using-alerting-api
• https://cloud.google.com/sdk/gcloud/reference/monitoring/policies/create
• https://cloud.google.com/sdk/gcloud/reference/logging/metrics/create