GCP IAM policy modified
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

GCP IAM policy modified

gcp

Classification:

compliance

Set up the gcp integration.

Overview

Goal

Detect a change to the IAM policy.

Strategy

This rule lets you monitor GCP admin activity audit logs to determine when the SetIamPolicy method is invoked.

Triage & Response

  1. Review the log and inspect the policy deltas (@data.protoPayload.serviceData.policyDelta.bindingDeltas) and ensure none of the actions are REMOVE.