Cyscale
Back to controls

Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

Category

Controls

Low

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.

Rationale

Monitoring changes to Cloud Storage bucket permissions may reduce time to detect and correct permissions on sensitive Cloud Storage bucket and objects inside the bucket.

Impact

Enabling of logging may result in your project being charged for the additional logs usage. These charges could be significant depending on the size of the organization.

Remediation guidance

Google Cloud Remediation

Service-wide fix (recommended): treat Cloud Storage IAM changes as a standard alerting use case and deploy the same metric and alert policy pattern to every project that holds sensitive buckets.

Google Cloud console

Create the log-based metric:

  1. Open Logging -> Logs-based metrics.
  2. Create a new counter metric.
  3. Use this filter:
resource.type="gcs_bucket"
protoPayload.methodName="storage.setIamPermissions"
  1. Save the metric.
  2. Create an alert from that metric and attach at least one notification channel.

Google Cloud CLI

Create the metric:

gcloud logging metrics create gcs-iam-permission-changes --description="Cloud Storage IAM permission changes" --log-filter='resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"'

Example alert policy definition:

displayName: Cloud Storage IAM permission changes
combiner: OR
conditions:
- displayName: Storage IAM change detected
  conditionThreshold:
    filter: 'metric.type="logging.googleapis.com/user/gcs-iam-permission-changes" AND resource.type="global"'
    comparison: COMPARISON_GT
    thresholdValue: 0
    duration: 0s
    aggregations:
    - alignmentPeriod: 60s
      perSeriesAligner: ALIGN_DELTA
enabled: true
notificationChannels:
- projects/<project-id>/notificationChannels/<channel-id>

gcloud monitoring policies create --policy-from-file=policy.yaml

References

  • https://cloud.google.com/logging/docs/logs-based-metrics
  • https://docs.cloud.google.com/sdk/gcloud/reference/monitoring/policies/create
  • https://cloud.google.com/storage/docs/access-control/iam

Query logic

These are the stored checks tied to this control.

Log metric filter and alerts exist for Cloud Storage IAM permission changes

Connectors

Google Cloud

Covered asset types

Connector

Expected check: eq []

GCPLogging10{...AssetFragment}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon