GCP Introduction
GCP Pricing
GCP Threats
GCP Misconfigurations
- Getting Started with GCP Audit
- CloudSql Audit
- Cloud Tasks Monitoring
- Dataflow Monitoring
- Function Monitoring
- Monitoring Compliance
- PubSubLite Monitoring
- Spanner Monitoring
- NoSQL Monitoring
- Compute Audit
- IAM Audit
- BigQuery Monitoring
- CDN Monitoring
- DNS Monitoring
- KMS Monitoring
- Kubernetes Audit
- Load Balancer Monitoring
- Log Monitoring
- Storage Audit
- Pub/Sub Monitoring
- VPC Audit
- IAM Deep Dive
GCP Threats
Project Ownership Change Log Alerts Should Be Enabled
More Info:
Ensures that logging and log alerts exist for project ownership assignments and changes. Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes.
Risk Level
High
Address
Security
Compliance Standards
CISGCP, CBP, HIPAA, ISO27001, HITRUST
Triage and Remediation
Remediation
To remediate the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” for GCP using GCP console, follow the below steps:
- Login to the GCP console.
- Navigate to the “Logging” section from the left-hand menu.
- In the “Logging” section, click on “Logs Explorer”.
- In the “Logs Explorer” page, select the “Resource” dropdown and select the project for which you want to enable the ownership change log alerts.
- In the search bar, type “project ownership change” and press enter.
- From the search results, select “Admin Activity” and then select “Project Ownership Change”.
- Click on “Create Metric” and give a name to the metric.
- Click on “Create Alert” and configure the alert as per your requirement.
- Click on “Save” to save the alert configuration.
By following the above steps, you will be able to enable the “Project Ownership Change Log Alerts” for the selected project in GCP.
To remediate the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” in GCP using GCP CLI, please follow the below steps:
-
Open the Cloud Shell in the GCP console.
-
Run the following command to enable project ownership change log alerts:
gcloud alpha logging sinks create PROJECT_OWNERSHIP_CHANGE_ALERTS \ pubsub.googleapis.com/projects/$(gcloud config get-value project)/topics/gcp-logging-alerts \ --log-filter='resource.type="audited_resource" AND protoPayload.methodName="google.cloud.resourcemanager.v1.Projects.ChangeOwnership"' \ --format='value(writerIdentity)'This command creates a new sink named
PROJECT_OWNERSHIP_CHANGE_ALERTSthat sends log entries matching the specified filter to a Pub/Sub topic namedgcp-logging-alerts. -
Run the following command to create a new Pub/Sub subscription for the
gcp-logging-alertstopic:gcloud pubsub subscriptions create PROJECT_OWNERSHIP_CHANGE_ALERTS \ --topic=gcp-logging-alerts \ --ack-deadline=30 \ --expiration-period=neverThis command creates a new subscription named
PROJECT_OWNERSHIP_CHANGE_ALERTSfor thegcp-logging-alertstopic with an acknowledgement deadline of 30 seconds and no expiration period. -
Run the following command to create a new Cloud Function that processes the log entries sent to the
gcp-logging-alertstopic:gcloud functions deploy process_project_ownership_change_alerts \ --entry-point=process_log_entry \ --runtime=python37 \ --trigger-topic=gcp-logging-alerts \ --memory=128MB \ --timeout=30s \ --env-vars-file=env.yaml \ --source=./functionThis command deploys a new Cloud Function named
process_project_ownership_change_alertsthat processes log entries sent to thegcp-logging-alertstopic. The function is triggered by messages sent to the topic and has a memory limit of 128MB, a timeout of 30 seconds, and uses theenv.yamlfile to set environment variables. -
Verify that the alerts are working by changing the ownership of a project in GCP. You should receive an alert in the Pub/Sub topic and the Cloud Function should process the log entry.
By following the above steps, you have successfully remediated the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” in GCP using GCP CLI.
To remediate the misconfiguration “Project Ownership Change Log Alerts Should Be Enabled” for GCP using Python, you can follow the below steps:
-
First, you need to import the necessary libraries. You can use the Google Cloud Client Library for Python to interact with GCP APIs. Install the library using the following command:
pip install google-cloud-monitoring -
Once you have installed the library, you need to authenticate your application. You can authenticate using a service account by setting the
GOOGLE_APPLICATION_CREDENTIALSenvironment variable to the path of the service account key file.export GOOGLE_APPLICATION_CREDENTIALS=/path/to/service_account_key.json -
After authentication, you can use the
google.cloud.monitoring_v3.MetricServiceClientclass to enable the “Project Ownership Change Log Alerts”. Use thecreate_alert_policymethod to create a new alert policy for the metricgce_instance_update.from google.cloud.monitoring_v3 import AlertPolicy from google.cloud.monitoring_v3 import MetricServiceClient from google.cloud.monitoring_v3.types import AlertPolicyCondition client = MetricServiceClient() # Define the alert policy condition alert_condition = AlertPolicyCondition( metric_type="logging.googleapis.com/user/project_change", filter='protoPayload.methodName="SetIamPolicy"', duration={"seconds": 300}, comparison={"comparison": "COMPARISON_GT", "threshold_value": 0}, trigger={"count": 1}, aggregations=[{"alignment_period": {"seconds": 300}, "per_series_aligner": "ALIGN_COUNT"}], ) # Define the alert policy alert_policy = AlertPolicy( display_name="Project Ownership Change Log Alerts", combiner="OR", conditions=[alert_condition], notification_channels=[], ) # Create the alert policy project_name = f"projects/{project_id}" response = client.create_alert_policy(project_name, alert_policy) print(f"Created alert policy: {response.name}") -
After executing the above code, the “Project Ownership Change Log Alerts” will be enabled for your GCP project.
Note: Make sure that the service account used to authenticate has the necessary permissions to create alert policies in your GCP project.