Google Cloud exposed service account key

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when Google Cloud disables a key for being exposed.

Strategy

This rule monitors Cloud Audit Logs and detects when the principal gcp-compromised-key-response@system.gserviceaccount.com disabled a key. If Google Cloud detects an exposed key, it automatically disables the key.

Triage and response

  1. An abuse event is created in the Abuse Event logs.
  2. Investigate any other actions carried out by the compromised identity {{@data.protoPayload.request.name}} using the Cloud SIEM investigator.