Google Cloud exposed service account key

gcp

Classification:

attack

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when Google Cloud disables a key for being exposed.

Strategy

This rule monitors Cloud Audit Logs and detects when the principal gcp-compromised-key-response@system.gserviceaccount.com disabled a key. If Google Cloud detects an exposed key, it automatically disables the key.

Triage and response

  1. An abuse event is created in the Abuse Event logs.
  2. Investigate any other actions carried out by the compromised identity {{@data.protoPayload.request.name}} using the Cloud SIEM investigator.