---
title: Google Cloud IAM policy modified
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Google Cloud IAM policy modified
---

# Google Cloud IAM policy modified
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect a change to the IAM policy.

## Strategy{% #strategy %}

This rule lets you monitor Google Cloud Admin activity audit logs to determine when the `SetIamPolicy` method is invoked.

## Triage and response{% #triage-and-response %}

Review the log and inspect the policy deltas (`@data.protoPayload.serviceData.policyDelta.bindingDeltas`) and ensure none of the actions are `REMOVE`.