Detect GCP Cloud DNS Configuration Changes

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Cloud DNS service level, in your GCP account.
Cloud DNS is a highly available, reliable, low-latency Domain Name System (DNS) service in Google Cloud that can be used publish domain names to the global DNS in a cost-effective way. Cloud DNS enables you to register, manage, and serve your domain names. The DNS service lets you publish your managed zones and records in DNS without the need of managing your own DNS servers and software.
Similar to other Google Cloud services, Cloud DNS produces audit logs that can help you find who used the cloud service to create and configure DNS resources, where and when. As a security best practice, you need to be aware of all configuration changes made at the Cloud DNS service level, changes such as creating managed zones, updating resource record sets, or setting policies.
Trend Micro Cloud One™ – Conformity RTMA uses the audit information collected by Google Cloud to process and send notifications about the configurations changes performed at the Cloud DNS level.
The activity detected by the Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operations:

• "dns.managedZones.create" - Creates a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix (such as trendmicro.com).
• "dns.managedZones.patch" - Performs a partial update to an existing DNS managed zone.
• "dns.resourceRecordSets.create" - Creates a new resource record set. A resource record set represents a collection of DNS records with the same label, class, and type, but with different data. These record sets hold the current state of the DNS records that assemble a managed zone.
• "dns.resourceRecordSets.patch" - Performs a partial update to an existing resource record set.
• "dns.policies.create" - Creates a new DNS server policy. This type of policy allows you to access name resolution services provided by GCP in a VPC network with inbound forwarding or supersede the VPC name resolution order with an outbound server policy.
• "dns.policies.update" - Performs a partial update to an existing DNS server policy.

To follow cloud security best practices and implement the Principle of Least Privilege (POLP), Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except administrators or authorized personnel) the permission to perform Cloud DNS configuration changes within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Cloud DNS configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.