---
title: Access denied for Google Cloud Service Account
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Access denied for Google Cloud Service
  Account
---

# Access denied for Google Cloud Service Account
Classification:attackTactic:[TA0004-privilege-escalation](https://attack.mitre.org/tactics/TA0004)Technique:[T1078-valid-accounts](https://attack.mitre.org/techniques/T1078) 
## Goal{% #goal %}

Detect when a Google Cloud service account (`@usr.id:*.iam.gserviceaccount.com`) exhibits access denied behavior that deviates from normal.

## Strategy{% #strategy %}

Inspect the Google Cloud service account (`@usr.id:*.iam.gserviceaccount.com`) for errors (`@data.protoPayload.status.code:7`) caused by denied permissions (`@evt.outcome`). The anomaly detection will baseline each service account and then generate a security signal when a service account deviates from their baseline.

**Note:** By default, Google Cloud only logs `PERMISSION_DENIED` errors for write operations (Admin Activity audit logs). Read operations are not logged because [Data Access audit logs](https://cloud.google.com/logging/docs/audit#data-access) are disabled by default. You must [enable Data Access audit logs](https://cloud.google.com/logging/docs/audit/configure-data-access) for this rule to have full visibility over access denied activity from service accounts.

## Triage and response{% #triage-and-response %}

Investigate the logs and determine whether the Google Cloud service account {{@usr.id}} is compromised.