Profile Applicability:

Level 2

Description:

To monitor changes to Cloud Storage bucket IAM permissions, a log metric filter and associated alert policy should be configured. This ensures quick detection of unauthorized or unintended permission changes that could impact sensitive data stored in Cloud Storage.

Rationale:

Changes to Cloud Storage bucket permissions can expose sensitive data or compromise access control. By setting up log metrics and alerts, organizations can detect and respond to IAM permission modifications promptly, minimizing potential risks.

Impact:

Enabling logging may incur additional costs for log storage and processing, especially for organizations with frequent permission changes.

Default Value:

By default, there are no log metrics or alert policies configured for monitoring IAM permission changes on Cloud Storage buckets.

Audit Steps:

Using Google Cloud Console:

  1. Verify Log Metric Configuration:

                       

  • Under User-defined Metrics, ensure a metric exists with the filter:
resource.type="gcs_bucket"
AND protoPayload.methodName="storage.setIamPermissions"

  1. Verify Alert Policy Configuration:

                         

  • Confirm an alert policy is linked to the above metric with:

    • Condition: Triggers on any IAM permission change.

    • Threshold: 0 (alerts for every change).

                                   

  • Ensure appropriate notification channels are configured.

                             

Using Google Cloud CLI:

  1. Verify Log Metric Configuration:

  • List all log metrics:
gcloud logging metrics list --format json
  • Check for a metric with the following filter:
resource.type="gcs_bucket"
AND protoPayload.methodName="storage.setIamPermissions"

  1. Verify Alert Policy Configuration:

  • List alerting policies:
gcloud alpha monitoring policies list --format json

  • Ensure an alert policy exists with:

    • Condition Filter: Matches the above metric.

    • Enabled: true.

Remediation Steps:

Using Google Cloud Console:

  1. Create a Log Metric:

                             

  • Click CREATE METRIC and configure:

                             

Filter:

resource.type="gcs_bucket"
AND protoPayload.methodName="storage.setIamPermissions"

  • Type: Counter.

  • Units: 1 (default).

                                   

  • Click Create Metric.  

                                     

  1. Create an Alert Policy:

    • Locate the newly created metric under User-defined Metrics.

                             

  • Click the three-dot menu and select Create alert from Metric

  • Configure the alert:

    • Aggregator: Count.

    • Threshold: Above 0.

    • Condition: Trigger alerts for any IAM permission change.

  • Configure notification channels and save the policy.

                         

Using Google Cloud CLI:

Create a Log Metric:

gcloud logging metrics create <metric-name> \
  --description="Monitor Cloud Storage IAM permission changes" \
  --log-filter="resource.type='gcs_bucket' AND protoPayload.methodName='storage.setIamPermissions'"

Create an Alert Policy:

gcloud alpha monitoring policies create \
  --display-name="<policy-name>" \
  --conditions="<condition-config>" \
  --notification-channels="<notification-channels>"

References:

  1. Logs-Based Metrics

  2. Custom Metrics in Monitoring

  3. Alerts in Monitoring

  4. Logging CLI Reference

  5. Cloud Storage Overview

  6. IAM Roles in Cloud Storage

CIS Controls:

Control

Description

IG 1

IG 2

IG 3

8.2 Collect Audit Logs

Enable audit logging across enterprise assets.

8.5 Collect Detailed Audit Logs

Capture detailed logs to include timestamps, source/destination, and user actions.


6.2 Activate Audit Logging

Ensure local logging is enabled on systems and devices.

6.3 Enable Detailed Logging

Include event source, user details, and timestamp in logs.