GCP IAM Policy Modified
Security Monitoring is now available Security Monitoring is now available
<  Back to rules search

GCP IAM Policy Modified

gcp

Classification:

compliance

Set up the gcp integration.

Overview

Goal

Detect a change to the IAM policy.

Strategy

This rule lets you monitor GCP admin activity audit logs to determine when the SetIamPolicy method is invoked.

Triage & Response

  1. Review the log and inspect the policy deltas (@data.protoPayload.serviceData.policyDelta.bindingDeltas) and ensure none of the actions are REMOVE.