Detections
Analytics
2.10 Ensure That the Log Metric Filter and Alerts Exist for Cloud Storage IAM Permission Changes - alert
Information
It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes.Rationale:
Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.
Impact:
Enabling of logging may result in your project being charged for the additional logs usage.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
From Console:Create the prescribed log metric:
Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click 'CREATE METRIC'.
Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.
Clear any text and add:
resource.type=gcs_bucket
AND protoPayload.methodName="storage.setIamPermissions"
Click Submit Filter. Display logs appear based on the filter text entered by the user.
In the Metric Editor menu on right, fill out the name field. Set Units to 1 (default) and Type to Counter. This ensures that the log metric counts the number of log entries matching the user's advanced logs query.
Click Create Metric.
Create the prescribed Alert Policy:
Identify the newly created metric under the section User-defined Metrics at https://console.cloud.google.com/logs/metrics.
Click the 3-dot icon in the rightmost column for the new metric and select Create alert from Metric. A new page appears.
Fill out the alert policy configuration and click Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value will ensure that a notification is triggered for every owner change in the project:
Set 'Aggregator' to 'Count'
Set 'Configuration':
- Condition: above
- Threshold: 0
- For: most recent value
Configure the desired notifications channels in the section Notifications.
Name the policy and click Save.
From Command Line:
Create the prescribed Log Metric:
Use the command: gcloud beta logging metrics create
Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/beta/logging/metrics/create
Create the prescribed alert policy:
Use the command: gcloud alpha monitoring policies create
Reference for command usage: https://cloud.google.com/sdk/gcloud/reference/alpha/monitoring/policies/create
See Also
Item Details
Audit Name: CIS Google Cloud Platform v1.3.0 L1
References: CSCv7|6.2, CSCv7|6.3
Plugin: GCP
Control ID: d5a0a7275138b88fa150db1abe39f44322a07f7ba8e63f87828111c7df106419