GCP Unauthorized Service Account Activity
Security Monitoring is now available Security Monitoring is now available
<  Back to rules search

GCP Unauthorized Service Account Activity

Classification:

compliance

Set up the gcp integration.

Overview

Goal

Detect when there is unauthorized activity by a service account in GCP

Strategy

Monitor GCP logs and detect when the error message of PERMISSION_DENIED is returned for a service account.

Triage & Response

  1. Determine the service account that made the unauthorized calls.
  2. Investigate if there is a misconfiguration in IAM permissions or if an attacker compromised the service account