Control: GCP > CIS v2.0 > 2 - Logging and Monitoring > 2.04 - Ensure Log Metric Filter and Alerts Exist for Project Ownership Assignments/Changes
Configures auditing against a CIS Benchmark item.
Level: 1
In order to prevent unnecessary project ownership assignments to users/service-accounts and further misuses of projects and resources, all roles/Owner
assignments should be monitored. Members (users/Service-Accounts) with a role assignment to primitive role roles/Owner
are project owners.
The project owner has all the privileges on the project the role belongs to. These are summarized below: - All viewer permissions on all GCP Services within the project - Permissions for actions that modify the state of all GCP services within the project - Manage roles and permissions for a project and all resources within the project - Set up billing for a project
Granting the owner role to a member (user/Service-Account) will allow that member to modify the Identity and Access Management (IAM) policy. Therefore, grant the owner role only if the member has a legitimate purpose to manage the IAM policy. This is because the project IAM policy contains sensitive access control data. Having a minimal set of users allowed to manage IAM policy will simplify any auditing that may be necessary.
Resource Types
This control targets the following resource types:
Primary Policies
The following policies can be used to configure this control:
Category
In Your Workspace
Developers
- tmod:@turbot/gcp-cisv2-0#/control/types/r0204
- tmod:@turbot/cis#/control/categories/v070602
- turbot graphql controls --filter "controlTypeId:tmod:@turbot/gcp-cisv2-0#/control/types/r0204"
Get Controls