More Info:

Ensure that the log metric filter and alerts exist for Custom Role changes.

Risk Level

Medium

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST, SOC2, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” in GCP using GCP console, you can follow the below steps:
  1. Open the GCP console and select the project for which you want to enable the Custom Role Change Log Alerts.
  2. Click on the “Navigation menu” on the top-left corner of the console and select “Logging” under the “TOOLS” section.
  3. In the Logging page, click on the “Create Sink” button.
  4. In the “Create Sink” page, provide a name for the sink in the “Name” field.
  5. In the “Sink Service” section, select “Cloud Pub/Sub” as the sink service.
  6. In the “Cloud Pub/Sub topic” field, select or create a new topic to which the logs will be sent.
  7. In the “Filter” section, add the following filter: 
protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"
This filter will capture the logs for any changes made to custom roles.
  1. Click on the “Create Sink” button to create the sink.
  2. Once the sink is created, click on the “Create Alert” button to create an alert based on the sink.
  3. In the “Create Alerting Policy” page, provide a name for the alert in the “Name” field.
  4. In the “Condition” section, click on the “Add Condition” button and select “Log-based Metric” as the condition type.
  5. In the “Log-based Metric” section, select the sink that you created in step 4.
  6. In the “Aggregation” section, select “Count” as the aggregation type and set the “Period” to 1 minute.
  7. In the “Filter” section, add the same filter that you added in step 7.
  8. In the “Configuration” section, set the “Threshold” to 1 and the “For” duration to 1 minute.
  9. In the “Notification Channels” section, select the notification channels to which you want to send the alerts.
  10. Click on the “Save” button to save the alerting policy.
Now, whenever a custom role is created, updated or deleted, a log entry will be created and sent to the Cloud Pub/Sub topic. The log-based metric and alerting policy that you created will capture these logs and send alerts to the specified notification channels.

To remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” for GCP using GCP CLI, you can follow the below steps:
  1. Open the Cloud Shell in your GCP console.
  2. Run the following command to enable the Custom Role Change Log Alerts: 
gcloud alpha monitoring channels create --channel-content-type="text/plain" --display-name="Custom Role Change Log Alerts" --type="webhook" --channel-labels="project_id=<your-project-id>,role_change_alert=true" --description="Alerts when a custom role is created, updated, or deleted." --payload="{"text": "Custom role change detected in project <your-project-id>: $incident.name"}"
Note: Replace <your-project-id> with your actual GCP project ID.
  1. Run the following command to verify the Custom Role Change Log Alerts:
gcloud alpha monitoring channels list --filter="display_name:Custom Role Change Log Alerts"
This command will list all the channels with the display name “Custom Role Change Log Alerts”.
  1. If the above command returns a valid response, then the Custom Role Change Log Alerts have been successfully enabled.
By following the above steps, you can remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” for GCP using GCP CLI.
To remediate the misconfiguration “Custom Role Change Log Alerts Should Be Enabled” in GCP using Python, you can follow the below steps:
  1. First, you need to check if the Stackdriver Logging API is enabled for the project. You can do this by running the following command in the Cloud Shell:
gcloud services list --enabled --filter=NAME | grep logging.googleapis.com
  1. If the Stackdriver Logging API is not enabled, you need to enable it by running the following command:
gcloud services enable logging.googleapis.com
  1. Next, you need to create a sink to export the logs to Cloud Pub/Sub. You can do this by running the following command:
gcloud logging sinks create [SINK_NAME] pubsub.googleapis.com/projects/[PROJECT_ID]/topics/[TOPIC_NAME] --log-filter='protoPayload.methodName="google.iam.admin.v1.CreateRole" OR protoPayload.methodName="google.iam.admin.v1.UpdateRole" OR protoPayload.methodName="google.iam.admin.v1.DeleteRole"'
Note: Replace [SINK_NAME], [PROJECT_ID], and [TOPIC_NAME] with appropriate values.
  1. After creating the sink, you need to grant the Pub/Sub Publisher role to the service account that will be used to create the sink. You can do this by running the following command:
gcloud projects add-iam-policy-binding [PROJECT_ID] --member=serviceAccount:[SERVICE_ACCOUNT_EMAIL] --role=roles/pubsub.publisher
Note: Replace <PROJECT_ID> and <SERVICE_ACCOUNT_EMAIL> with appropriate values.
  1. Finally, you need to create a Cloud Function that will be triggered by the Pub/Sub topic and send an alert to the appropriate channels. You can use the following Python code as a starting point:
import base64
import json

def custom_role_change_log_alert(event, context):
    pubsub_message = base64.b64decode(event['data']).decode('utf-8')
    log_entry = json.loads(pubsub_message)['protoPayload']
    # TODO: Implement alerting logic here
Note: Replace the TODO comment with the actual alerting logic.
  1. Deploy the Cloud Function by running the following command:
gcloud functions deploy [FUNCTION_NAME] --runtime python37 --trigger-topic [TOPIC_NAME] --entry-point custom_role_change_log_alert
Note: Replace <FUNCTION_NAME> and <TOPIC_NAME> with appropriate values.After following these steps, your GCP project should be remediated for the misconfiguration “Custom Role Change Log Alerts Should Be Enabled”.