Access denied for Google Cloud Service Account

gcp

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Google Cloud service account (@usr.id:*.iam.gserviceaccount.com) exhibits access denied behavior that deviates from normal.

Strategy

Inspect the Google Cloud service account (@usr.id:*.iam.gserviceaccount.com) for errors (@data.protoPayload.status.code:7) caused by denied permissions (@evt.outcome). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

Note: By default, Google Cloud only logs PERMISSION_DENIED errors for write operations (Admin Activity audit logs). Read operations are not logged because Data Access audit logs are disabled by default. You must enable Data Access audit logs for this rule to have full visibility over access denied activity from service accounts.

Triage and response

Investigate the logs and determine whether the Google Cloud service account {{@usr.id}} is compromised.