
Summary
The detection rule identifies the deletion of Identity and Access Management (IAM) service account keys within Google Cloud Platform (GCP). These keys are vital for authenticating applications accessing cloud resources. This rule captures events where keys are deleted, which can signify potential unauthorized access or policy violations. Regular rotation of service account keys is a recommended practice for maintaining security, but malicious actors might attempt to delete keys to disrupt services or erase traces of their intrusions. The rule analyzes audit logs for specific event actions related to key deletions to flag any potentially harmful activities, thereby facilitating timely investigations and responses to security incidents. Administrators should be aware of the possibility of false positives arising from routine administrative tasks or automated scripts and should correspondingly review and manage alerting mechanisms to strike a balance between security and operational normalcy.
Categories
- Cloud
- GCP
- Identity Management
Data Sources
- Cloud Service
- Logon Session
- Application Log
ATT&CK Techniques
- T1098
Created: 2020-09-21