Logging and monitoring

No monitoring for project ownership changes

Description

In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner assignments should be monitored using a custom metric filter.
  • Recommended Mitigation

    In the User-defined Metrics section, ensure that at least one metric is present with filter text: (protoPayload.serviceName=""cloudresourcemanager.googleapis.com"") AND (ProjectOwnership OR projectOwnerInvitee) OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=""REMOVE"" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=""roles/owner"") OR (protoPayload.serviceData.policyDelta.bindingDeltas.action=""ADD"" AND protoPayload.serviceData.policyDelta.bindingDeltas.role=""roles/owner"")