---
title: Google Cloud IAM role created
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Google Cloud IAM role created
---

# Google Cloud IAM role created
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a Google Cloud IAM role is created.

## Strategy{% #strategy %}

Monitor Google Cloud IAM activity audit logs to determine when the following method is invoked:

- `google.iam.admin.v1.CreateRole`

## Triage and response{% #triage-and-response %}

1. Investigate the user {{@usr.id}} who created the IAM role {{@data.protoPayload.resourceName}} and ensure the permissions in `@data.protoPayload.response.included_permissions` are scoped properly.
1. Review the users associated with the role and ensure they should have the permissions attached to the role.