Project Ownership Change Log Alerts Should Be Enabled

More Info:

Ensures that logging and log alerts exist for project ownership assignments and changes. Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes.

Risk Level

High

Address

Security

Compliance Standards

CISGCP, CBP, HIPAA, ISO27001, HITRUST

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” in GCP using GCP CLI, please follow the below steps:

Open the Cloud Shell in the GCP console.

Run the following command to enable project ownership change log alerts:

gcloud alpha logging sinks create PROJECT_OWNERSHIP_CHANGE_ALERTS \
pubsub.googleapis.com/projects/$(gcloud config get-value project)/topics/gcp-logging-alerts \
--log-filter='resource.type="audited_resource" AND protoPayload.methodName="google.cloud.resourcemanager.v1.Projects.ChangeOwnership"' \
--format='value(writerIdentity)'

This command creates a new sink named PROJECT_OWNERSHIP_CHANGE_ALERTS that sends log entries matching the specified filter to a Pub/Sub topic named gcp-logging-alerts.

Run the following command to create a new Pub/Sub subscription for the gcp-logging-alerts topic:
```
gcloud pubsub subscriptions create PROJECT_OWNERSHIP_CHANGE_ALERTS \
--topic=gcp-logging-alerts \
--ack-deadline=30 \
--expiration-period=never
```
This command creates a new subscription named PROJECT_OWNERSHIP_CHANGE_ALERTS for the gcp-logging-alerts topic with an acknowledgement deadline of 30 seconds and no expiration period.
Run the following command to create a new Cloud Function that processes the log entries sent to the gcp-logging-alerts topic:
```
gcloud functions deploy process_project_ownership_change_alerts \
--entry-point=process_log_entry \
--runtime=python37 \
--trigger-topic=gcp-logging-alerts \
--memory=128MB \
--timeout=30s \
--env-vars-file=env.yaml \
--source=./function
```
This command deploys a new Cloud Function named process_project_ownership_change_alerts that processes log entries sent to the gcp-logging-alerts topic. The function is triggered by messages sent to the topic and has a memory limit of 128MB, a timeout of 30 seconds, and uses the env.yaml file to set environment variables.
Verify that the alerts are working by changing the ownership of a project in GCP. You should receive an alert in the Pub/Sub topic and the Cloud Function should process the log entry.

By following the above steps, you have successfully remediated the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” for GCP using Python, you can follow the below steps:

First, you need to import the necessary libraries. You can use the Google Cloud Client Library for Python to interact with GCP APIs. Install the library using the following command:
```
pip install google-cloud-monitoring
```
Once you have installed the library, you need to authenticate your application. You can authenticate using a service account by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the path of the service account key file.
```
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_key.json
```

After authentication, you can use the google.cloud.monitoring_v3.MetricServiceClient class to enable the “Project Ownership Change Log Alerts”. Use the create_alert_policy method to create a new alert policy for the metric gce_instance_update.

from google.cloud.monitoring_v3 import AlertPolicy
from google.cloud.monitoring_v3 import MetricServiceClient
from google.cloud.monitoring_v3.types import AlertPolicyCondition

client = MetricServiceClient()

# Define the alert policy condition
alert_condition = AlertPolicyCondition(
    metric_type="logging.googleapis.com/user/project_change",
    filter='protoPayload.methodName="SetIamPolicy"',
    duration={"seconds": 300},
    comparison={"comparison": "COMPARISON_GT", "threshold_value": 0},
    trigger={"count": 1},
    aggregations=[{"alignment_period": {"seconds": 300}, "per_series_aligner": "ALIGN_COUNT"}],
)

# Define the alert policy
alert_policy = AlertPolicy(
    display_name="Project Ownership Change Log Alerts",
    combiner="OR",
    conditions=[alert_condition],
    notification_channels=[],
)

# Create the alert policy
project_name = f"projects/{project_id}"
response = client.create_alert_policy(project_name, alert_policy)
print(f"Created alert policy: {response.name}")

After executing the above code, the “Project Ownership Change Log Alerts” will be enabled for your GCP project.

Note: Make sure that the service account used to authenticate has the necessary permissions to create alert policies in your GCP project.

Additional Reading:

https://cloud.google.com/logging/docs/logs-based-metrics

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Project Ownership Change Log Alerts Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: