Profile Applicability:

Level 1

Description:

Google Cloud Platform (GCP) generates audit logs to record important events like "who did what, where, and when?" within projects. Configuring log metric filters and alerts for audit configuration changes ensures that any modifications to IAM policies are monitored, preserving accountability and compliance.

Rationale:

Audit logs for Admin Activity and Data Access provide critical details such as the identity of the API caller, the time of the API call, and the actions performed. Monitoring changes to audit configurations helps maintain the integrity of logging policies and ensures that activities within projects remain auditable.

Impact:

Enabling detailed logging might increase storage costs due to additional log usage.

Audit Steps:

Using Google Cloud Console:

  1. Verify Log-Based Metric:

                                 

  • Ensure at least one metric is present with the following filter:
protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*

  1. Verify Alert Policy:

                                     

  • Confirm an alert policy exists for the metric with the following conditions:

    • Condition: Any value greater than 0 triggers an alert.

    • Threshold: Configured to detect any changes to IAM policy.

                                 

  • Ensure appropriate notification channels (e.g., email, SMS) are configured.

                                   

Using Google Cloud CLI:

  1. Verify Log-Based Metric:  List all metrics:

gcloud beta logging metrics list --format json
  • Ensure a metric exists with the filter:
protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*

  1. Verify Alert Policy: List all alerting policies:

gcloud alpha monitoring policies list --format json
  • Confirm an alert policy is present with:
  • Metric Type: logging.googleapis.com/user/<Log Metric Name>

  • Enabled: true.

Remediation Steps:

Using Google Cloud Console:

  1. Create a Log-Based Metric:

                              

  • Click CREATE METRIC.

                   

  • Enter the filter : 
protoPayload.methodName="SetIamPolicy" AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*
  • Set Units to 1 (default) and Type to Counter.

                                 

  • Click Create Metric.

                               

  1. Create an Alert Policy:

    • Navigate to User-defined Metrics and locate the created metric.

                             

  • Click the three-dot menu and select Create alert from Metric.

                                 

  • Configure the alert policy:

    • Aggregator: Count

    • Condition: Any value above 0 triggers the alert.

    • Notification Channels: Add appropriate channels (e.g., email, SMS).

  • Save the policy.   

Using Google Cloud CLI:

Create a Log-Based Metric:

gcloud beta logging metrics create <metric-name> \
  --description="<description>" \
  --log-filter="protoPayload.methodName='SetIamPolicy' AND protoPayload.serviceData.policyDelta.auditConfigDeltas:*"

Create an Alert Policy:

gcloud alpha monitoring policies create \
  --display-name="<policy-name>" \
  --conditions="<condition-config>" \
  --notification-channels="<notification-channels>"


References:

  1. Logs-Based Metrics

  2. Custom Metrics in Cloud Monitoring

  3. Alert Policies Documentation

  4. gcloud Logging Metrics

  5. IAM Policy Configurations

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable audit logging across enterprise assets.

8.5 Collect Detailed Audit Logs

Enable detailed logs for sensitive data, including event source and timestamps.


6.2 Activate Audit Logging

Ensure audit logging is enabled on all systems and devices.

6.3 Enable Detailed Logging

Enable logging with event sources, users, timestamps, and other details.