Google Cloud Service Account key created

gcp

Classification:

attack

Tactic:

TA0003-persistence

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a new service account key is created. An attacker could use this key as a backdoor to your account.

Strategy

This rule lets you monitor Google Cloud Admin activity audit logs to detect the creation of a service account key.

Triage and response

Contact the user who created the service account key to ensure they’re managing the key securely.

Changelog

31 January 2023 - Updated tags.