| Plugin Title | Project Ownership Logging |
| Cloud | |
| Category | Logging |
| Description | Ensures that logging and log alerts exist for project ownership assignments and changes |
| More Info | Project Ownership is the highest level of privilege on a project, any changes in project ownership should be heavily monitored to prevent unauthorized changes. |
| GOOGLE Link | https://cloud.google.com/logging/docs/logs-based-metrics/ |
| Recommended Action | Ensure that log alerts exist for project ownership assignments and changes. |
- Log in to the Google Cloud Platform Console.
- Navigate to "Logbased metrics" under "Logging" (https://console.cloud.google.com/logs/metrics?walkthrough_id=panels--logging--query) and click on the "CREATE METRIC" button at the top.
- On the "Metric editor" tab, enter the "Name" and "Description"
For the required filter field, enter: (protoPayload.serviceName="cloudresourcemanager.googleapis.com") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="REMOVE" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action="ADD" AND protoPayload.serviceData.policyDelta.bindingDeltas.role="roles/owner")
- Click on the "Create metric" button at the bottom to make the changes.
- On the "Logs-based metrics", under the "User-defined metrics" click on the 3 dots next to the newly created "Project Ownership Logging" metric and click on the "create alert from metric."
- Make sure the "Monitoring Filter" is set to metric.type="logging.googleapis.com/user/ProjectOwnership"
- Enter the "Condition, Threshold and Minute" of the above "Configuration" accordingly and click on the "Save" button to make the changes.
- Once the settings are "Saved", enter the name of the alarm and select "Policy triggers" condition from the dropdown menu.
- Click on the "Save" button at the bottom to make the changes.
- Repeat steps for any GCP project where this is required.
