Google Cloud IAM Role updated

gcp

Classification:

attack

Tactic:

TA0004-privilege-escalation

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a Google Cloud IAM role is updated.

Strategy

Monitor Google Cloud IAM activity audit logs to determine when the following method is invoked:

  • google.iam.admin.v1.UpdateRole

Triage and response

  1. Investigate the user {{@usr.id}} who performed the role update on {{@data.protoPayload.resourceName}} and ensure the permissions in @data.protoPayload.response.included_permissions are scoped properly.
  2. Review the users associated with the role and ensure they should have the permissions attached to the role.

Changelog

  • 25 September 2024 - Updated query to replace attribute @threat_intel.results.category:anonymizer.