Google Cloud exposed service account key

Goal

Detect when Google Cloud disables a key for being exposed.

Strategy

This rule monitors Cloud Audit Logs and detects when the principal gcp-compromised-key-response@system.gserviceaccount.com disabled a key. If Google Cloud detects an exposed key, it automatically disables the key.

Triage and response

  1. An abuse event is created in the Abuse Event logs.
  2. Investigate any other actions carried out by the compromised identity {{@data.protoPayload.request.name}} using the Cloud SIEM investigator.