Google CloudOverview
It is recommended that a metric filter and alarm be established for changes to Identity and Access Management (IAM) role creation, deletion and updating activities.
Rationale
Google Cloud IAM provides predefined roles that give granular access to specific Google Cloud Platform resources and prevent unwanted access to other resources. However, to cater to organization-specific needs, Cloud IAM also provides the ability to create custom roles. Project owners and administrators with the Organization Role Administrator role or the IAM Role Administrator role can create custom roles. Monitoring role creation, deletion and updating activities will help in identifying any overprivileged role at early stages.
Remediation guidance
From Console
Create the prescribed log metric:
- Go to
Logging/Logs-based Metricsby visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC". - Click the down arrow symbol on the
Filter Barat the rightmost corner and selectConvert to Advanced Filter. - Clear any text and add:
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole"
OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")
- Click Submit Filter. Display logs appear based on the filter text entered by the user.
- In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.
- Click Create Metric.
Create a prescribed Alert Policy:
- Identify the new metric that was just created under the section
User-defined Metricsat https://console.cloud.google.com/logs/metrics. - Click the 3-dot icon in the rightmost column for the metric and select
Create alert from Metric. A new page displays. - Fill out the alert policy configuration and click
Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:
Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value
- Configure the desired notifications channels in the section
Notifications. - Name the policy and click
Save.
From Command Line
Create the prescribed Log Metric:
- Use the command: gcloud logging metrics create
Create the prescribed Alert Policy:
- Use the command: gcloud monitoring policies create
Service-wide remediation
Recommended when many resources are affected: fix the platform baseline first so new resources inherit the secure setting, then remediate the existing flagged resources in batches.
Google Cloud
Use organization or folder policies where available, shared project templates, logs and alerting baselines, and IaC modules so new resources inherit the secure setting.
Operational rollout
- Fix the baseline first at the account, subscription, project, cluster, or tenant scope that owns this control.
- Remediate the currently affected resources in batches, starting with internet-exposed and production assets.
- Re-scan and track approved exceptions with an owner and expiry date.
Query logic
These are the stored checks tied to this control.
Log metric filter and alerts exist for Custom Role changes
Connectors
Covered asset types
Expected check: eq []
GCPLogging6{...AssetFragment}
