Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Monitoring for Bucket Permission Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CloudLogging-001

Ensure that each Google Cloud Platform (GCP) project has configured a GPC alerting policy that is triggered each time a Google Cloud Storage bucket permission change is made. The log filter pattern used to recognize the bucket permission changes is 'resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions'.

This rule resolution is part of the Conformity Security & Compliance tool for GCP.

Security

By using Google Cloud log metrics and alerting policies to monitor IAM permission changes made to your Cloud Storage buckets, you can reduce the time it takes to detect and correct any misconfigured permissions applied to your production and business critical buckets and protect the sensitive data inside those buckets.


Audit

To determine if the Cloud Storage bucket permission changes are currently monitored within your GCP projects, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Logging console at https://console.cloud.google.com/logs.

04 In the left navigation panel, select Logs-based Metrics to view all the log metrics (predefined and user-defined metrics) available for the selected GCP project.

05 On the Logs-based Metrics page, in the User-defined metrics section, click inside the Filter user-defined metrics box, select Filter, and paste the following filter pattern: resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions. Press Enter to filter the existing metrics and return the ones that match the given filter. If one or more active (enabled) metrics are returned, continue the Audit process with the next step. Otherwise, if no enabled metrics are returned in the User-defined metrics list, there are no user-defined log metrics created to detect permission changes that match the filter expression, therefore the Google Cloud Storage bucket permission changes are not being monitored within the selected GCP project.

06 Navigate to Alerting Policies page at https://console.cloud.google.com/monitoring/alerting/policies.

07 Click on the display name of the alerting policy that you want to examine.

08 On the selected policy configuration page, check the following parameters. For a compliant alerting policy, all the following parameters (i.e. status, metric name, and notification channels) must be properly configured. If one or more parameters are not properly configured, the selected alerting policy is not compliant (i.e. the policy is not monitoring for bucket permission changes):

  1. Check the alerting policy status displayed next to the policy main menu. If the status is not set to ENABLED, the selected policy is not enabled.
  2. In the Conditions section, click on the information button (i icon) available for the policy condition, to determine the name of the logs-based metric associated with the selected alerting policy, i.e. logging/user/[log-metric-name], where [log-metric-name] is the name of the valid metric returned at step no. 5. If the name of the valid metric is not listed in the condition information section, the selected policy is not associated with the metric that we want.
  3. Check for any notification channels listed in the Notification Channels section. If there are no valid notifications channels configured in this section, the selected policy is not properly configured.

09 Repeat steps no. 7 and 8 for each alerting policy created for the selected GCP project. If none of the policies available has the appropriate configuration, there are no alerting policies configured to monitor Google Cloud Storage bucket permission changes within the selected project.

10 Repeat steps no. 2 – 9 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the ID of each project available in your Google Cloud account:

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs:

PROJECT_ID
cc-frontend-app-112233
cc-big-data-app-111222
cc-prod-web-app-123123

03 Run logging metrics list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter and custom query filters to list the user defined logs-based metrics created for the selected project:

gcloud beta logging metrics list
  --project cc-frontend-app-112233
  --format="table(name)"

04 The command output should return the names of the requested logs-based metrics:

NAME:
cc-firewall-rule-changes
cc-vpc-network-changes

05 Run logging metrics describe command (Windows/macOS/Linux) using the name of the logs-based metric that you want to examine as the identifier parameter and custom formatting to describe the filter defined for the selected metric:

gcloud beta logging metrics describe cc-firewall-rule-changes
  --format="table(filter)"

06 The command output should return the requested logs-based metric filter:

FILTER: resource.type=gce_firewall_rule AND protoPayload.methodName=v1.compute.firewalls.patch OR protoPayload.methodName=v1.compute.firewalls.insert

If the metric filter returned by the logging metrics describe command output is different than the following filter pattern: resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions, the selected user defined logs-based metric is not configured to recognize storage bucket permission changes.

07 Repeat steps no. 5 and 6 for each metric created for the selected project. If one or more metrics have the filter pattern listed above, continue the Audit process with the next step. Otherwise, if none of the metrics available has the required filter, there are no user-defined log metrics created to detect permission changes that match the filter expression, therefore the Google Cloud Storage bucket permission changes are not being monitored within the selected GCP project.

08 Run monitoring policies list command (Windows/macOS/Linux) using the ID of the GCP project that you want to examine as the identifier parameter, to list the name of each alerting policy created for the selected project:

gcloud alpha monitoring policies list
  --project cc-frontend-app-112233
  --format="table(name)"

09 The command output should return the names of the requested alerting policies:

NAME: 
projects/cc-frontend-app-112233/alertPolicies/1234567890123456789
projects/cc-frontend-app-112233/alertPolicies/1122334455667788990

10 Run monitoring policies describe command (Windows/macOS/Linux) using the name of the alerting policy that you want to examine as the identifier parameter and custom formatting to describe the policy configuration:

gcloud alpha monitoring policies describe projects/cc-frontend-app-112233/alertPolicies/1234567890123456789
  --format="json"

11 The command output should return the configuration information available for the selected policy:

{
	"alertStrategy": {
		"autoClose": "604800s"
	},
	"combiner": "OR",
	"conditions": [
		{
			"conditionThreshold": {
				"aggregations": [
					{
						"alignmentPeriod": "600s",
						"crossSeriesReducer": "REDUCE_COUNT",
						"perSeriesAligner": "ALIGN_DELTA"
					}
				],
				"comparison": "COMPARISON_GT",
				"duration": "0s",
				"filter": "metric.type=\"logging.googleapis.com/user/cc-monitor-firewall-changes\"",
				"trigger": {
					"count": 1
				}
			},
			"displayName": "logging/user/cc-monitor-firewall-changes [COUNT]",
			"name": "projects/cc-frontend-app-112233/alertPolicies/1234567890123456789/conditions/1277204009176305411"
		}
	],
	"creationRecord": {
		"mutateTime": "2023-10-27T10:48:09.866783684Z",
		"mutatedBy": "ops@domain.com"
	},
	"displayName": "cc-prod-alert-policy",
	"enabled": false,
	"mutationRecord": {
		"mutateTime": "2023-04-02T10:36:45.043411689Z",
		"mutatedBy": "ops@domain.com"
	},
	"name": "projects/cc-frontend-app-112233/alertPolicies/1234567890123456789",
	"notificationChannels": [
		"projects/cc-frontend-app-112233/notificationChannels/12341234123412341234"
	]
}

12 Run monitoring channels describe command (Windows/macOS/Linux) using the name of the notification channel associated with the selected alerting policy as the identifier parameter, to describe the channel configuration:

gcloud alpha monitoring channels describe "projects/cc-frontend-app-112233/notificationChannels/12341234123412341234"
  --format=json

13 The command output should return the configuration information available for the selected notification channel:

{
	"displayName": "user@domain.com",
	"enabled": true,
	"labels": {
		"email_address": "user@domain.com"
	},
	"name": "projects/cc-frontend-app-112233/notificationChannels/12341234123412341234",
	"type": "email"
}

14 Check the configuration information returned at steps no. 11 and 13 for the following parameters. For a compliant alerting policy, all the following parameters (i.e. status, metric name, and notification channels) must be properly configured. If one or more parameters are not properly configured, the selected alerting policy is not compliant:

  1. Check the alerting policy status returned at step no. 11. If "enabled" is set to false, the selected policy is not enabled.
  2. Check the policy condition returned at step no. 11 to determine the name of the logs-based metric associated with the selected alerting policy, i.e. metric.type=\"logging.googleapis.com/user/[log-metric-name]\", where [log-metric-name] is the name of the valid metric returned at step no. 7. If the name of the valid metric is not listed in the policy condition configuration, the selected policy is not associated with the metric that we want.
  3. Check the notification channels returned at step no. 13 for compliance. If there are no valid notification channels returned at this step, the selected policy is not properly configured.

15 Repeat steps no. 10 – 14 for each alerting policy available for the selected GCP project. If none of the verified policies has the appropriate configuration, there are no alerting policies configured to monitor Google Cloud Storage bucket permission changes within the selected project.

16 Repeat steps no. 3 – 15 for each GCP project deployed in your Google Cloud account.

Remediation / Resolution

To enable the monitoring of Cloud Storage bucket permissions changes within your Google Cloud Platform (GCP) projects by creating and configuring the necessary log metric and alerting policy, perform the following actions:

Using GCP Console

01 Sign in to the Google Cloud Management Console.

02 Select the GCP project that you want to examine from the console top navigation bar.

03 Navigate to Google Cloud Logging console at https://console.cloud.google.com/logs.

04 In the left navigation panel, select Logs-based Metrics to access all the log metrics available for the selected GCP project.

05 On the Logs-based Metrics page, in the User-defined metrics section, click inside the Filter user-defined metrics box, select Filter, paste the following filter pattern: resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions, and press Enter. This is to ensure that there is no such filter pattern already available.

06 Choose Create metric next to User-defined metrics to create a new log metric based on the filter pattern specified at the previous step.

07 On the Create log-based metric setup page, perform the following actions:

  1. For Metric Type, choose Counter.
  2. Provide a unique name for the new log metric in the Log-based metric name text box.
  3. Enter a short description that reflects the metric purpose in the Description box.
  4. Type 1 in the Units text box for the number of log entries matching the given filter pattern.
  5. For Filter selection, ensure that Select log scope is set to Project logs, and paste the following filter pattern: resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions into the Build filter box.
  6. (Optional) For Labels, use the + Add label button to attach one or more tags to the new log metric. Select Done to close the panel.
  7. Choose Create metric to create your new log metric. If the request is successful, the following confirmation message should be displayed: Your log metric was successfully created. Data should be available soon..

08 In the left navigation panel, select again Logs-based Metrics.

09 Choose the newly created log metric listed in the User-defined metrics section and make sure that this metric is marked as enabled. If the metric is enabled, click on the 3-dot button to open the options menu and select Create alert from metric to create an alerting policy using the new log metric.

10 An alerting policy condition must be created first. When the condition is met, it triggers an alerting policy violation. On the Create alerting policy setup page, perform the following actions:

  1. For New condition, perform the following actions:
    • Ensure that the correct metric is displayed in the Select a metric box. Select a metric should be pre-populated with the ID of the metric filter configured at the previous steps.
    • For Transform data, configure the Rolling window to adjust the time the signal is calculated for (e.g. 10 minutes), set the Rolling window function to delta and the Time series aggregation to count. (Optional) To combine time series by label value, click inside the Time series group by configuration box and make a selection from the menu. The menu is constructed dynamically based on the time series you selected.
    • Choose NEXT to continue the setup process.
  2. For Configure trigger, perform the following operations:
    • For Condition Types choose Threshold.
    • For Alert trigger select Any time series violates.
    • For Threshold position select Above threshold.
    • For Threshold value use 0. A threshold of 0 (zero) will ensure that a notification alert is triggered for every bucket permission change made within the selected GCP project.
    • Provide a unique name for the new alerting policy condition in the Condition name text box.
    • Choose NEXT to continue the setup.
  3. For Notifications and name, perform the following actions:
    • Select Use notification channel to configure notification channels for alerts. Choose the names of the channels where you can be notified when alerting policy violations occur. As an example, this conformity rule will use email addresses as notification channels.
    • Click inside the Notifications Channels configuration box and select the email addresses that you want to use for getting notification alerts. Select OK to apply the changes. To create a new notification channel, click inside the Notification Channels box, choose MANAGE NOTIFICATION CHANNELS, and add a new channel. Google Cloud recommends creating multiple notification channels for redundancy purposes.
    • (Optional) For Notify on incident closure, choose whether or not to notify on incident closure and select a duration after which the incident will automatically close if the data is absent.
    • (Optional) For Policy user labels, use the + ADD LABEL button to add one or more policy user labels. Policy user labels allow you to apply your own labels to alert policies for organization.
    • (Optional) Enter any documentation you would like included with the notification in the Documentation text box. When email notifications are sent, they'll include the information entered here.
    • Provide a descriptive name for the new alerting policy in the Name the alert policy box.
    • Choose NEXT to continue.
  4. For Review alert, check the policy configuration details, then choose CREATE POLICY to create the new alerting policy. This will enable the monitoring of storage bucket permission changes within the selected GCP project.

11 Repeat steps no. 2 – 10 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run logging metrics create command (Windows/macOS/Linux) using the filter expression that detects storage bucket permissions changes as value for the --log-filter parameter, i.e. resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions, to create the logs-based metric required to count the number of log entries that match the filter expression:

gcloud beta logging metrics create cc-bucket-permissions-changes
  --description="Monitor Cloud Storage bucket permission changes inside GCP projects"
  --log-filter="resource.type=gcs_bucket AND protoPayload.methodName=storage.setIamPermissions"

02 If the metric is successfully created, the command output should return the name of the newly created log metric. The new metric is enabled by default:

Created [cc-bucket-permissions-changes].

03 Run monitoring channels create command (Windows/macOS/Linux) to create the required notification channels. As an example, this conformity rule will use an email address as the notification channel for the alerting policy. When alerting policy violations occur, you will be notified via the email address configured at this step:

gcloud alpha monitoring channels create
  --display-name="cc-main-notification-channel"
  --description="Primary contact for GCP project notification alerts"
  --type=email
  --channel-labels=email_address="alerts@domain.com"

04 The command output should return the ID of the new notification channel:

Created notification channel [projects/cc-frontend-app-112233/notificationChannels/1234567890123456789].

05 Define the configuration for the alerting policy that you want to create and save it to a JSON document named gcp-alerting-policy.json. Replace the highlighted placeholder values such as [alerting-policy-display-name] and [log-metric-name] with your own values:

{ 
	"enabled": true,
	"displayName": "[alerting-policy-display-name]",
	"documentation": {
		"content": "[alerting-policy-documentation]",
		"mimeType": "text/markdown"
	},
	"notificationChannels": [
	 "[notification-channel-id]"
	],
	"combiner": "OR",
	"alertStrategy": {
		"autoClose": "604800s"
	},
	"conditions": [
		{
			"conditionThreshold": {
				"aggregations": [
					{
						"alignmentPeriod": "600s",
						"crossSeriesReducer": "REDUCE_COUNT",
						"perSeriesAligner": "ALIGN_MEAN"
					}
				],
				"comparison": "COMPARISON_GT",
				"duration": "0s",
				"filter": "resource.type = \"gcs_bucket\" AND metric.type = \"logging.googleapis.com/user/[log-metric-name]\"",
				"trigger": {
					"count": 1
				}
			},
			"displayName": "[policy-condition-display-name]"
		}
	]
}

06 Run monitoring policies create command (Windows/macOS/Linux) to create the Google Cloud alerting policy that sends email notifications when Google Cloud Storage bucket permissions changes are made inside the selected GCP project, based on the policy defined at the previous step (i.e. gcp-alerting-policy.json):

gcloud alpha monitoring policies create
  --policy-from-file=gcp-alerting-policy.json

07 The command output should return the ID of the new Google Cloud alerting policy:

Created alert policy [projects/cc-frontend-app-112233/alertPolicies/1234567890123456789].

08 Repeat steps no. 1 – 7 for each GCP project available within your Google Cloud account.

References

Publication date May 4, 2021

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Enable Monitoring for Bucket Permission Changes

Risk Level: Medium