Google Cloud IAM Role updated

gcp

Classification:

attack

Tactic:

TA0004-privilege-escalation

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Google Cloud IAM role is updated.

Strategy

Monitor Google Cloud IAM activity audit logs to determine when the following method is invoked:

  • google.iam.admin.v1.UpdateRole

Triage and response

  1. Investigate the user {{@usr.id}} who performed the role update on {{@data.protoPayload.resourceName}} and ensure the permissions in @data.protoPayload.response.included_permissions are scoped properly.
  2. Review the users associated with the role and ensure they should have the permissions attached to the role.