Federation
- Enable VPC Service Controls if handling sensitive data
- Implement organization policy constraints to limit service account creation
-
Consider implementing short-lived credentials using workload identity
-
Enable Cloud Audit Logs for all projects to improve visibility
Service Name: Google Cloud Platform
Service Description: Google Cloud Platform (GCP) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products. Service accounts are special accounts that represent non-human users that need to authenticate and be authorized to access data in Google APIs.
Service Address: https://cloud.google.com/
Validation Type: API Auth, NHI Enriched
IP Allow list: IP restrictions can be configured at the organization policy level or through VPC Service Controls.
Secret Access Scope: Grants programmatic access to GCP resources based on the roles assigned to the service account. Can provide access to various GCP services including Compute Engine, Cloud Storage, BigQuery, and more.
Secret Revokement URL: https://console.cloud.google.com/iam-admin/serviceaccounts
Secret Example: GCP Service Account Creds
Suspicious Activity Investigation Instructions:
- Review Cloud Audit Logs for unusual API calls or resource access
- Check IAM policy changes for the service account
- Monitor for unauthorized service usage or resource creation
- Review network traffic logs for unusual access patterns
- Check for unexpected service account key creation events
- Verify if the service account has been added to projects it shouldn't have access to
- Look for unusual authentication events from unexpected IP addresses
Mitigation Instructions:
- Immediately disable the compromised service account key in the GCP Console
- Navigate to IAM & Admin > Service Accounts in the GCP Console
- Select the affected service account and click on the "Keys" tab
- Delete the compromised key
- Create a new service account key if needed
{ "type": "service_account", "project_id": "example-project-123456", "private_key_id": "1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t", "private_key": "-----BEGIN PRIVATE KEY----- \nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7VJTUt9Us8cKj\nMzE fYyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu\nNMoSfm76 oqFvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ\n-----END PRIVATE KEY-----\n", "client_email": "service-account@example-project- 123456.iam.gserviceaccount.com", "client_id": "123456789012345678901", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service- account%40example-project-123456.iam.gserviceaccount.com" } - Review and restrict IAM permissions for the service account to follow the Principle of Least Privilege
- Enable audit logging for the service account if not already enabled
- Consider implementing VPC Service Controls to restrict API access
- Implement key rotation policies for service account keys
- Consider using short-lived credentials with IAM Workload Identity instead of long-lived service account keys