It is recommended that a metric filter and alarm be established for Cloud Storage Bucket IAM changes. Monitoring changes to cloud storage bucket permissions may reduce the time needed to detect and correct permissions on sensitive cloud storage buckets and objects inside the bucket.
Recommended Mitigation
In the User-defined Metrics section, ensure that at least one metric is present with filter text: resource.type=gcs_bucket AND protoPayload.methodName=""storage.setIamPermissions""