Log metric filter for Cloud Storage IAM permission changes has an associated alert policy
logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled
Cloud Logging defines a log-based metric for Cloud Storage IAM changes using filter resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions", and a Cloud Monitoring alert policy that references that metric.
Risk
Lack of alerting on bucket IAM changes degrades confidentiality and integrity. Adversaries or misconfigurations can:
- grant broad/public access
- persist access by adding roles
- read, alter, or delete data Delays in detection enable data exfiltration, tampering, and disruptive actions.
prowler gcp --checks logging_log_metric_filter_and_alert_for_bucket_permission_changes_enabled
Recommendation
Establish a log-based metric for bucket IAM permission changes with filter resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions" and link a log-based alert policy with clear notifications. Enforce least privilege and separation of duties, and routinely review alerts and audit logs to prevent and contain unauthorized access.
Remediation
- In Google Cloud console, go to Logging > Logs-based metrics
- Click Create metric
- Name: <example_resource_name>
- In Filter, paste: resource.type="gcs_bucket" AND protoPayload.methodName="storage.setIamPermissions"
- Click Create
- In the metrics list, click the three dots for the new metric and select Create alert from metric
- Keep condition as Count > 0 for Most recent value and click Save
Source Code
Resource Type
logging.googleapis.com/LogMetric