Detect GCP Resource Manager Configuration Changes

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made to the Resource Manager service, in your GCP account.
Resource Manager is a managed Google Cloud service that enables you to centrally configure settings for your GCP projects, folders, and organizations. The settings configured with Resource Manager are inherited by their descendants in the resource hierarchy. The hierarchical organization provided by Resource Manager allows you to manage common aspects of your cloud resources such as access control and configuration settings.
Similar to other Google Cloud services, Resource Manager is configured to write audit logs that can help you find who used the service to configure your resources, where and when. Trend Micro Cloud One™ – Conformity RTMA uses this audit information to process and send notifications about the configurations changes made at the Resource Manager service level.
The activity detected by the Conformity RTMA feature could be a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operations:

• "organizations.setIamPolicy" - Applies an IAM access control policy to a GCP organization resource. This operation replaces any existing policy defined for the resource.
• "organizations.setOrgPolicy" - Updates the policy associated with the specified resource (organization level). This operation creates a new policy for the resource if one does not exist.
• "projects.setIamPolicy" - Applies an IAM access control policy for the specified GPC project. This operation replaces the existing policy, and can't be used to append additional IAM settings.
• "projects.setOrgPolicy" - Updates the policy associated with the specified resource (project level). This operation creates a new policy for the resource if one does not exist.
• "folders.setIamPolicy" - Applies an IAM access control policy to a folder, replacing any existing policy defined for the specified folder.
• "folders.setOrgPolicy" - Updates the policy associated with the specified resource (folder level). This operation creates a new policy for the resource if one does not exist.

Resource Manager is a powerful tool that can be used to hierarchically manage Google Cloud resources by project, folder, or organization. When Resource Manager configuration changes are made by inexperienced personnel, the risk of resource exposure or inaccessibility increases significantly. For example, removing service accounts from policies or changing their roles can lead to inoperable services and/or resources. To follow security best practices and implement the Principle of Least Privilege, i.e. the practice of providing every user/process/system the minimal amount of access required to successfully perform its tasks, Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except administrators) the permission to perform Resource Manager configuration changes within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for Resource Manager configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.