Profile Applicability:
Level 1
Description:
It is recommended to configure a log metric filter and alert to monitor changes related to Identity and Access Management (IAM) custom roles, including creation, deletion, and updates. Monitoring these changes ensures proper tracking of custom role configurations and minimizes the risk of over-privileged roles being created or modified without oversight.
Rationale:
IAM provides predefined roles for granular access control. However, custom roles can be created to meet specific organizational needs. Monitoring the creation, deletion, or updates of custom roles is crucial to:
Prevent unauthorized modifications.
Detect over-privileged roles early.
Ensure adherence to the principle of least privilege.
Impact:
Enabling logging may result in increased costs for storing and analyzing log data.
Default Value:
IAM custom role changes are not monitored by default.
Audit Steps:
Using Google Cloud Console:
Verify Log Metric Configuration:
Navigate to Logs-based Metrics.
- In the User-defined Metrics section, ensure a metric exists with the filter:
resource.type="iam_role"
AND (protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")Verify Alerting Policy Configuration:
Go to Alerting.
Confirm there is at least one alert policy for the above metric.
Check that the alert condition is configured to trigger when:
Threshold: Any value above 0 for custom role changes.
Notifications: Appropriate notification channels are configured.
Using Google Cloud CLI:
Verify Log Metric Configuration:
- List log metrics:
gcloud logging metrics list --format json- Check for a metric with the filter:
resource.type="iam_role"
AND (protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")Verify Alerting Policy Configuration:
- List alerting policies:
gcloud alpha monitoring policies list --format json- Ensure the output contains a policy where:
Condition Filter: Matches the above metric.
Enabled: true.
Remediation Steps:
Using Google Cloud Console:
Create a Log Metric:
Navigate to Logs-based Metrics.
Click CREATE METRIC and set:
Filter:
resource.type="iam_role"
AND (protoPayload.methodName="google.iam.admin.v1.CreateRole"
OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR protoPayload.methodName="google.iam.admin.v1.UpdateRole")Metric Type: Counter
Units: 1 (default)
Click Create Metric.
Create an Alert Policy:
Locate the created metric under User-defined Metrics.
Click the three-dot menu and select Create alert from Metric.
Configure:
Aggregator: Count
Threshold: Above 0.
Condition: Any change triggers the alert.
Configure notification channels and save the policy.
Using Google Cloud CLI:
Create a Log Metric:
gcloud logging metrics create <metric-name> \
--description="Monitor IAM custom role changes" \
--log-filter="resource.type='iam_role' AND \
(protoPayload.methodName='google.iam.admin.v1.CreateRole' OR \
protoPayload.methodName='google.iam.admin.v1.DeleteRole' OR \
protoPayload.methodName='google.iam.admin.v1.UpdateRole')"Create an Alert Policy:
gcloud alpha monitoring policies create \
--display-name="<policy-name>" \
--conditions="<condition-config>" \
--notification-channels="<notification-channels>"