<  Back to rules search

GCP unauthorized service account activity

gcp

Classification:

compliance

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when there is unauthorized activity by a service account in GCP

Strategy

Monitor GCP logs and detect when a service account makes an API request and the request returns the status code equal to 7 within the log attribute @data.protoPayload.status.code. The status code 7 indicates the service account did not have permission to make the API call.

Triage and response

  1. Determine the service account that made the unauthorized calls.
  2. Investigate if there is a misconfiguration in IAM permissions or if an attacker compromised the service account