Skip to main content

πŸ“ Google Logging Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist 🟒

  • Contextual name: πŸ“ Log Metric Filter and Alerts for Project Ownership Assignments Changes do not exist 🟒
  • ID: /ce/ca/google/logging/project-ownership-assignments-and-changes-monitoring
  • Located in: πŸ“ Google Logging

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Logic​

Description​

Open File

Description​

In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored.

Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner are project owners.

The project owner has all the privileges on the project the role belongs to. These are summarized below:

β€’ All viewer permissions on all GCP Services within the project
β€’ Permissions for actions that modify the state of all GCP services within the project
β€’ Manage roles and permissions for a project and all resources within the project
β€’ Set up billing for a project

Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.

... see more

Remediation​

Open File

Remediation​

From Google Cloud Console​

Create the prescribed log metric​

  1. Go to Logging/Logs-based Metrics by visiting https://console.cloud.google.com/logs/metrics and click "CREATE METRIC".

  2. Click the down arrow symbol on the Filter Bar at the rightmost corner and select Convert to Advanced Filter.

  3. Clear any text and add:

     (protoPayload.serviceName="cloudresourcemanager.googleapis.com")
     AND (ProjectOwnership OR projectOwnerInvitee)
     OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE"
     AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
     OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD"
     AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")

  4. Click Submit Filter. The logs display based on the filter text entered by the user.

  5. In the Metric Editor menu on the right, fill out the name field. Set Units to 1 (default) and the Type to Counter. This ensures that the log metric counts the number of log entries matching the advanced logs query.

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CIS GCP v1.2.0 β†’ πŸ’Ό 2.4 Ensure log metric filter and alerts exist for project ownership assignments/changes - Level 1 (Automated)1
πŸ’Ό CIS GCP v1.3.0 β†’ πŸ’Ό 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - Level 1 (Automated)1
πŸ’Ό CIS GCP v2.0.0 β†’ πŸ’Ό 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - Level 1 (Automated)1
πŸ’Ό CIS GCP v3.0.0 β†’ πŸ’Ό 2.4 Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes - Level 1 (Automated)1
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Logging and Monitoring Configuration59
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)265
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)17
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-2 Event Logging (L)(M)(H)17
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation (M)(H)118
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AU-12 Audit Record Generation (L)(M)(H)65
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.15 Logging1834
πŸ’Ό ISO/IEC 27001:2022 β†’ πŸ’Ό 8.20 Networks security514
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-3: Event data are collected and correlated from multiple sources and sensors1837
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy1632
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-03: Information is correlated from multiple sources46
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis37
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events115
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events81
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident17
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-06: Actions performed during an investigation are recorded, and the records' integrity and provenance are preserved18
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-2 Event Logging417
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-7 Audit Record Reduction and Report Generation2118
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AU-12 Audit Record Generation44765
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 5.2 Ensure that all anti-virus mechanisms are maintained.9
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks.11
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2 Implement automated audit trails for all system components.7625
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.1 All individual user accesses to cardholder data.414
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.2 All actions taken by any individual with root or administrative privileges.15
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.3 Access to all audit trails.9
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.4 Invalid logical access attempts.414
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.5 Use of and changes to identification and authentication mechanisms.116
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.2.6 Initialization, stopping, or pausing of the audit logs.9
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 10.3 Record audit trail entries for all system components for each event.610
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 5.3.1 The anti-malware solution(s) is kept current via automatic updates.9
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 5.3.2 The anti-malware solution performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes.19
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 5.3.4 Audit logs for the anti-malware solution(s) are enabled and retained.9
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.9
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.724
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.1 Audit logs capture all individual user access to cardholder data.14
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.15
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.3 Audit logs capture all access to audit logs.9
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.4 Audit logs capture all invalid logical access attempts.14
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.6 Audit logs capture all initialization of new audit logs, starting, stopping, or pausing of the existing audit logs.9
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.1.7 Audit logs capture all creation and deletion of system-level objects.9
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 10.2.2 Audit logs record the described details for each auditable event.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 5.3.1 The anti-malware solution(s) is kept current via automatic updates.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 5.3.2 The anti-malware solution performs periodic scans and active or real-time scans or performs continuous behavioral analysis of systems or processes.19
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 5.3.4 Audit logs for the anti-malware solution(s) are enabled and retained.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.1 For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks.11
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1 Audit logs are enabled and active for all system components and cardholder data.7124
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.1 Audit logs capture all individual user access to cardholder data.114
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.2 Audit logs capture all actions taken by any individual with administrative access, including any interactive use of application or system accounts.15
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.3 Audit logs capture all access to audit logs.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.4 Audit logs capture all invalid logical access attempts.114
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.5 Audit logs capture all changes to identification and authentication credentials.16
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.6 Audit logs capture all initialization of new audit logs, starting, stopping, or pausing of the existing audit logs.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.1.7 Audit logs capture all creation and deletion of system-level objects.9
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 10.2.2 Audit logs record the described details for each auditable event.9