Access denied for Google Cloud Service Account

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Cloud service account (@usr.id:*.iam.gserviceaccount.com) exhibits access denied behavior that deviates from normal.

Strategy

Inspect the Google Cloud service account (@usr.id:*.iam.gserviceaccount.com) for errors (@data.protoPayload.status.code:7) caused by denied permissions (@evt.outcome). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

Triage and response

Investigate the logs and determine whether or not the Google Cloud service account {{@usr.id}} is compromised.