Google Cloud Service Account accessing anomalous number of Google Cloud APIs
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect when a Google Cloud service account is compromised.
Strategy
Inspect the Google Cloud admin activity logs (@data.logName:*%2Factivity) and filter for only Google Cloud service accounts (@usr.id:*.iam.gserviceaccount.com). Count the unique number of Google Cloud API calls (@evt.name) which are being made for each service account (@usr.id). The anomaly detection baselines each service account and then generates a security signal when a service account deviates from their baseline.
To read more about Google Cloud audit logs, read the blog post.
Triage and response
Investigate the logs and determine whether or not the Google Cloud service account is compromised.
Changelog
- 17 October 2022 - Updated tags.
