Access denied for Google Cloud Service Account

gcp

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Google Cloud service account (@usr.id:*.iam.gserviceaccount.com) exhibits access denied behavior that deviates from normal.

Strategy

Inspect the Google Cloud service account (@usr.id:*.iam.gserviceaccount.com) for errors (@data.protoPayload.status.code:7) caused by denied permissions (@evt.outcome). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

Triage and response

Investigate the logs and determine whether or not the Google Cloud service account {{@usr.id}} is compromised.