API

Google Cloud IAM role created

Docs > Datadog Security > OOTB Rules > Google Cloud IAM role created

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Cloud IAM role is created.

Strategy

Monitor Google Cloud IAM activity audit logs to determine when the following method is invoked:

google.iam.admin.v1.CreateRole

Triage and response

Investigate the user {{@usr.id}} who created the IAM role {{@data.protoPayload.resourceName}} and ensure the permissions in @data.protoPayload.response.included_permissions are scoped properly.
Review the users associated with the role and ensure they should have the permissions attached to the role.