Google Cloud IAM role created

gcp

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Cloud IAM role is created.

Strategy

Monitor Google Cloud IAM activity audit logs to determine when the following method is invoked:

  • google.iam.admin.v1.CreateRole

Triage and response

  1. Investigate the user {{@usr.id}} who created the IAM role {{@data.protoPayload.resourceName}} and ensure the permissions in @data.protoPayload.response.included_permissions are scoped properly.
  2. Review the users associated with the role and ensure they should have the permissions attached to the role.