audit_logging_configured_for_all_service bigquery_dataset_encrypted_with_cmk bigquery_dataset_not_publicly_accessible bigquery_dataset_restrict_gmail bigquery_dataset_restrict_googlegroups bigquery_table_encrypted_with_cmk compute_disk_encrypted_with_csk compute_firewall_allow_connections_proxied_by_iap compute_firewall_rule_rdp_access_restricted compute_firewall_rule_ssh_access_restricted compute_https_load_balancer_logging_enabled compute_instance_block_project_wide_ssh_enabled compute_instance_confidential_computing_enabled compute_instance_ip_forwarding_disabled compute_instance_oslogin_enabled compute_instance_serial_port_connection_disabled compute_instance_shielded_vm_enabled compute_instance_with_no_default_service_account compute_instance_with_no_default_service_account_with_full_access compute_instance_with_no_public_ip_addresses compute_network_contains_no_default_network compute_network_contains_no_legacy_network compute_network_dns_logging_enabled compute_ssl_policy_with_no_weak_cipher compute_subnetwork_flow_log_enabled compute_subnetwork_private_ip_google_access dataproc_cluster_encryption_with_cmek dns_managed_zone_dnssec_enabled dns_managed_zone_key_signing_not_using_rsasha1 dns_managed_zone_zone_signing_not_using_rsasha1 iam_service_account_gcp_managed_key iam_service_account_key_age_100 iam_service_account_key_age_90 iam_service_account_without_admin_privilege iam_user_denylist_public iam_user_not_assigned_service_account_user_role_project_level iam_user_separation_of_duty_enforced iam_user_uses_corporate_login_credentials kms_key_not_publicly_accessible kms_key_rotated_within_100_day kms_key_rotated_within_90_day kms_key_separation_of_duties_enforced kubernetes_cluster_auto_repair_enabled kubernetes_cluster_auto_upgrade_enabled kubernetes_cluster_dashboard_disabled kubernetes_cluster_legacy_abac_enabled kubernetes_cluster_legacy_endpoints_disabled kubernetes_cluster_master_authorized_networks_config_enabled kubernetes_cluster_network_policy_installed kubernetes_cluster_node_config_image_cos_containerd kubernetes_cluster_private_cluster_config_enabled kubernetes_cluster_service_account_default kubernetes_cluster_use_ip_aliases logging_bucket_retention_policy_enabled logging_metric_alert_audit_configuration_changes logging_metric_alert_custom_role_changes logging_metric_alert_firewall_rule_changes logging_metric_alert_network_changes logging_metric_alert_network_route_changes logging_metric_alert_project_ownership_assignment logging_metric_alert_sql_instance_configuration_changes logging_metric_alert_storage_iam_permission_changes logging_sink_configured_for_all_resource manual_control organization_essential_contacts_configured project_access_approval_settings_enabled project_service_cloudasset_api_enabled sql_instance_automated_backups_enabled sql_instance_mysql_local_infile_database_flag_off sql_instance_mysql_skip_show_database_flag_on sql_instance_not_open_to_internet sql_instance_not_publicly_accessible sql_instance_postgresql_cloudsql_pgaudit_database_flag_enabled sql_instance_postgresql_log_checkpoints_database_flag_on sql_instance_postgresql_log_connections_database_flag_on sql_instance_postgresql_log_disconnections_database_flag_on sql_instance_postgresql_log_duration_database_flag_on sql_instance_postgresql_log_error_verbosity_database_flag_default_or_stricter sql_instance_postgresql_log_executor_stats_database_flag_off sql_instance_postgresql_log_hostname_database_flag_configured sql_instance_postgresql_log_lock_waits_database_flag_on sql_instance_postgresql_log_min_duration_statement_database_flag_disabled sql_instance_postgresql_log_min_error_statement_database_flag_configured sql_instance_postgresql_log_min_messages_database_flag_error sql_instance_postgresql_log_parser_stats_database_flag_off sql_instance_postgresql_log_planner_stats_database_flag_off sql_instance_postgresql_log_statement_database_flag_ddl sql_instance_postgresql_log_statement_stats_database_flag_off sql_instance_postgresql_log_temp_files_database_flag_0 sql_instance_require_ssl_enabled sql_instance_sql_3625_trace_database_flag_off sql_instance_sql_3625_trace_database_flag_on sql_instance_sql_contained_database_authentication_database_flag_off sql_instance_sql_cross_db_ownership_chaining_database_flag_off sql_instance_sql_external_scripts_enabled_database_flag_off sql_instance_sql_remote_access_database_flag_off sql_instance_sql_user_connections_database_flag_configured sql_instance_sql_user_options_database_flag_not_configured sql_instance_with_no_public_ips storage_bucket_bucket_policy_only_enabled storage_bucket_not_publicly_accessible storage_bucket_uniform_access_enabled

Query: logging_metric_alert_storage_iam_permission_changes

Usage

steampipe query gcp_compliance.query.logging_metric_alert_storage_iam_permission_changes

Plugins & Tables

gcp_logging_metric

gcp_monitoring_alert_policy

GCP plugin

SQL

with filter_data as (
  select
    display_name alert_name,
    m.name metric_name
  from
    gcp_monitoring_alert_policy,
    jsonb_array_elements(conditions) as filter_condition
    join gcp_logging_metric m on m.filter ~ '\s*resource.type\s*=\s*gcs_bucket\s*AND\s*protoPayload.methodName\s*=\s*"storage.setIamPermissions"\s*'
    and filter_condition -> 'conditionThreshold' ->> 'filter' like '%metric.type="' || m.metric_descriptor_type || '"%'
  where
    enabled
)
select
  'https://cloudresourcemanager.googleapis.com/v1/projects/' || project_id resource,
  case
    when (
      select
        count(metric_name)
      from
        filter_data
    ) > 0 then 'ok'
    else 'alarm'
  end as status,
  case
    when (
      select
        count(metric_name)
      from
        filter_data
    ) > 0 then 'Log metric and alert exist for Storage IAM permission changes.'
    else 'Log metric and alert do not exist for Storage IAM permission changes.'
  end as reason,
  name as project
from
  gcp_project;

Controls

The query is being used by the following controls: