Skip to main content

Project Ownership Assignments Changed

This alert occurs when Lacework detects a change in the ownership of a Google Cloud project.

The project ownership refers to the user or group that has administrative access to the project and can manage its resources.

Related policy: LW_AT_RESOURCE_45: Project Ownership Assignments Changed

Why this alert is important

If ownership of a project is transferred to an unauthorized user, it could result in unauthorized access to sensitive data or resources. Monitoring this alert can help you quickly identify any unauthorized changes to project ownership and take appropriate action to secure your Google Cloud environment.

Investigation

If you suspect that a malicious change has been made to the project ownership assignments, follow these steps to investigate the alert:

  1. Review the Audit Logs to identify any recent changes to the project ownership assignments. Look for any suspicious activity or unauthorized access, such as changes made by unfamiliar users or unusual activity patterns.
  2. Check the permissions assigned to each user in your Google Cloud environment to determine whether any users have access to project ownership assignments that they should not have. Review the access control lists (ACLs) and permissions for service accounts, groups, or individuals with access to project ownership assignments.
  3. Review the access logs for any users or service accounts that have made changes to the project ownership assignments. Look for suspicious activity patterns or attempts to access resources that the user should not have access to.
  4. Contact Google Support immediately if you suspect a malicious change has been made. They can provide additional guidance and assistance in investigating the issue and restoring your Google Cloud environment to a secure state.

Resolution

If you detect an unauthorized change in project ownership assignments, take immediate action to resolve the issue and restore the security of your Google Cloud environment, including:

  1. Revoke the user's permissions immediately if you suspect a user account has been compromised or used to make unauthorized changes to project ownership assignments. This can help prevent further unauthorized access to your Google Cloud environment.
  2. Transfer ownership back to the correct user or group immediately if the project ownership has been transferred to an unauthorized user or group.
  3. Review the access controls and permissions for all users and groups with access to project ownership assignments. Make sure that only authorized users have access to these assignments.
  4. Implement additional security measures, such as multi-factor authentication (MFA) and access controls, to prevent future unauthorized access to your Google Cloud environment.
  5. Monitor your Google Cloud environment for any further suspicious activity indicating ongoing unauthorized access.