Profile Applicability:

Level 1

Description:

To prevent unauthorized or unnecessary assignment of project ownership and potential misuse of resources, it is critical to monitor all actions related to project ownership. This includes:

  • Sending project ownership invitations.

  • Accepting/rejecting project ownership invitations.

  • Adding or removing the roles/owner role to/from a user or service account.

Rationale:

Project owners have the highest level of privileges, including:

  • Viewing, modifying, and managing all Google Cloud Platform (GCP) services within the project.

  • Managing IAM roles and permissions.

  • Setting up billing for the project.

Monitoring project ownership changes ensures sensitive access controls are maintained and any unexpected assignments are promptly addressed.

Impact:

Enabling logging may incur additional costs for log storage and usage.

Default Value:

By default, there are no log-based metrics or alerting policies configured for monitoring project ownership changes

Audit Steps:

Using Google Cloud Console:

  1. Verify Log-Based Metric:

                                   

In the User-defined Metrics section, confirm there is a metric configured with the following filter:

(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" 
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" 
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")

  1. Verify Alert Policy:

                                 

  • Ensure there is an alert policy tied to the metric. The policy should:

    • Trigger when the metric count exceeds 0 within a specified timeframe.

    • Send notifications to appropriate channels.

Using Google Cloud CLI:

  1. Verify Log-Based Metric:

List existing metrics:

gcloud logging metrics list --format json

  • Ensure at least one metric contains the specified filter.

  1. Verify Alert Policy:

List existing alert policies:

gcloud alpha monitoring policies list --format json
  1. Ensure a policy exists where:

  • conditions.conditionThreshold.filter references the metric.

  • enabled is set to true.

Remediation Steps:

Using Google Cloud Console:

  1. Create Log-Based Metric:

                                   

  • Click CREATE METRIC.

                         

Use the following filter:

(protoPayload.serviceName="cloudresourcemanager.googleapis.com")
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" 
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" 
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")

  • Configure the metric name, units (1), and type (Counter).

                                       

  • Click Create Metric.

                                     

  1. Create Alert Policy: Find the created metric under User-defined Metrics.

                       

  • Click the three-dot icon and select Create alert from metric.

  • Configure thresholds (e.g., trigger when the value exceeds 0).

                       

  • Add notification channels and save the policy.

Using Google Cloud CLI:

  1. Create Log-Based Metric: Use the following command:

gcloud beta logging metrics create <metric-name> \
--description="<description>" \
--log-filter="(protoPayload.serviceName='cloudresourcemanager.googleapis.com')
AND (ProjectOwnership OR projectOwnerInvitee)
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action='REMOVE'
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role='roles/owner')
OR (protoPayload.serviceData.policyDelta.bindingDeltas.action='ADD'
    AND protoPayload.serviceData.policyDelta.bindingDeltas.role='roles/owner')"

  1. Create Alert Policy: Use the following command:

gcloud alpha monitoring policies create \
--display-name="<policy-name>" \
--conditions="<condition-config>" \
--notification-channels="<notification-channels>"

Backout Plan:

Step 1: Disable the Alert Policy

  • gcloud monitoring policies delete ALERT_POLICY_ID  
  • Replace ALERT_POLICY_ID with the alert policy name.


Step 2: Remove Log-Based Metric

  • gcloud logging metrics delete project_ownership_changes
  • This removes the log-based metric tracking ownership changes.


Step 3: Revert IAM Changes (If Needed)

  • gcloud projects remove-iam-policy-binding PROJECT_ID \
  • --member="user:[email protected]" \
  • --role="roles/owner"


References:

  1. Log-Based Metrics Documentation

  2. Monitoring Custom Metrics

  3. Cloud Monitoring Alerts

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Ensure that audit logging is enabled across enterprise assets.

6.2 Activate Audit Logging

Enable local logging on all systems and networking devices.

6.7 Regularly Review Logs

Review logs regularly to identify anomalies or abnormal events.