This detection rule is designed to identify potential privilege escalation risks in Google Cloud Platform (GCP) environments where users with custom IAM roles can misuse permissions to create service account keys. The rule specifically targets the permission 'iam.serviceAccountKeys.create', which could be granted through unjustified updates to IAM roles. The risk arises when users granted this permission exploit their role to gain additional privileges, putting the security posture of the GCP environment at risk. The detection operates on audit logs from GCP and has a high severity due to the significant nature of privilege escalation attacks. The rule is enabled and can detect occurrences of privilege escalation attempts based on predefined tests that check whether users are granted the ability to create service account keys. Additionally, the presence of appropriate mitigation strategies such as the principle of least privilege is advised to minimize these security risks.