Remediation
From Google Cloud Consoleβ
Create the prescribed log metricβ
-
Go to
Logging/Logs-based Metricsby visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC". -
Click the down arrow symbol on the
Filter Barat the rightmost corner and selectConvert to Advanced Filter. -
Clear any text and add:
resource.type="iam_role"
AND (protoPayload.methodName = "google.iam.admin.v1.CreateRole"
OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
OR protoPayload.methodName="google.iam.admin.v1.UpdateRole") -
Click
Submit Filter. Display logs appear based on the filter text entered by the user. -
In the
Metric Editormenu on the right, fill out the name field. SetUnitsto1(default) andTypetoCounter. This ensures that the log metric counts the number of log entries matching the advanced logs query. -
Click
Create Metric.
Create a prescribed Alert Policy�β
-
Identify the new metric that was just created under the section
User-defined Metricsat https://console.cloud.google.com/logs/metrics. -
Click the 3-dot icon in the rightmost column for the metric and select
Create alert from Metric. A new page displays. -
Fill out the alert policy configuration and click
Save. Choose the alerting threshold and configuration that makes sense for the user's organization. For example, a threshold of zero(0) for the most recent value ensures that a notification is triggered for every owner change in the project:Set `Aggregator` to `Count`
Set `Configuration`:
- Condition: above
- Threshold: 0
- For: most recent value -
Configure the desired notification channels in the section
Notifications. -
Name the policy and click
Save.
From Google Cloud CLIβ
Create the prescribed Log Metricβ
β’ Use the command: gcloud logging metrics create
Create the prescribed Alert Policyβ
β’ Use the command: gcloud alpha monitoring policies create