Google Cloud unauthorized service account activity
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect when there is unauthorized activity by a service account in GCP.
Strategy
Monitor Google Cloud logs and detect when a service account makes an API request and the request returns the status code equal to 7
within the log attribute @data.protoPayload.status.code
. The status code 7
indicates the service account did not have permission to make the API call.
Triage and response
- Investigate the service account:
{{@usr.id}}
that made the unauthorized calls and confirm if there is a misconfiguration in IAM permissions or if an attacker compromised the service account. - If unauthorized, revoke access of compromised service account and rotate credentials.
Changelog
22 June 2022 - Updated query, rule case and triage.