Ensure log metric filter and alerts exist for Cloud Storage IAM permission changes

From Google Cloud Console

Create the Log Metric

1. Go to Logging, Log-based Metrics by visiting https://console.cloud.google.com/logs/metrics
2. Select Create metric
3. For Metric Type, select Counter
4. Under Details, add a name and set the Units to 1
5. Under Filter selection, add the following query:

resource.type="gcs_bucket"
AND protoPayload.methodName="storage.setIamPermissions"

1. Click Create Metric. This will take to Logging/Logs at https://console.cloud.google.com/logs/metrics?

Create the alert policy

1. Go back to Log-based Metrics and identify the newly created metric under User-defined metrics
2. Click the 3-dot icon in rightmost column of that metric to open menu options and select Create alert from Metric
3. Fill in the required details. Choose the alerting threshold and configuration that makes sense for the organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:

Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value

1. Under Configure notifications, configure the desired notification channels
2. Name the policy and select CREATE POLICY

Using Google Cloud CLI

Create prescribed Log Metric

• Use command: gcloud beta logging metrics create
• Reference for Command Usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create

Create prescribed Alert Policy

• Use command: gcloud alpha monitoring policies create
• Reference for command Usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create

References

1. https://cloud.google.com/logging/docs/logs-based-metrics/
2. https://cloud.google.com/monitoring/custom-metrics/
3. https://cloud.google.com/monitoring/alerts/
4. https://cloud.google.com/logging/docs/reference/tools/gcloud-logging
5. https://cloud.google.com/storage/docs/access-control/iam
6. https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
7. https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create

Multiple Remediation Paths

Google Cloud

SERVICE-WIDE (RECOMMENDED when many resources are affected): Enforce Organization Policies at org/folder level so new resources inherit secure defaults.

gcloud org-policies set-policy policy.yaml

ASSET-LEVEL: Use the product-specific remediation steps above for only the impacted project/resources.

PREVENTIVE: Use org policy constraints/custom constraints and enforce checks in deployment pipelines.

References for Service-Wide Patterns

• GCP Organization Policy overview: https://cloud.google.com/resource-manager/docs/organization-policy/overview
• GCP Organization policy constraints catalog: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• gcloud org-policies: https://cloud.google.com/sdk/gcloud/reference/org-policies

Operational Rollout Workflow

Use this sequence to reduce risk and avoid repeated drift.

1. Contain at Service-Wide Scope First (Recommended)

• Google Cloud: apply organization policy constraints at org/folder scope.

gcloud org-policies set-policy policy.yaml

2. Remediate Existing Affected Assets

• Execute the control-specific Console/CLI steps documented above for each flagged resource.
• Prioritize internet-exposed and production assets first.

3. Validate and Prevent Recurrence

• Re-scan after each remediation batch.
• Track exceptions with owner and expiry date.
• Add preventive checks in IaC/CI pipelines.