GCP Service Account Creds
Service Name: Google Cloud Platform
Service Description: Google Cloud Platform (GCP) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products.
Service Address: https://cloud.google.com/
Validation Type: API Auth NHI Enriched
IP Allow list: Does not exist
Secret Access Scope: Grants access to Google Cloud resources based on the permissions assigned to the service account.
Secret Revokement URL: https://console.cloud.google.com/iam-admin/serviceaccounts
Secret Example: project-name-123456@project-name-123456.iam.gserviceaccount.com
Suspicious Activity Investigation Instructions:
- Review Google Cloud Audit logs for unusual activity from the service account
- Check for unauthorized API calls or resource access in Cloud Logging
- Examine IAM policy changes related to the service account
- Look for unusual geographic access patterns in the Security Command Center
- Monitor for unexpected increases in billing or resource usage
Mitigation Instructions:
- Immediately rotate the service account key by creating a new key and deleting the compromised one
- Navigate to the Google Cloud Console IAM & Admin section
- Select Service Accounts and locate the affected service account
- Delete the compromised key under the Keys tab
- Review and restrict IAM permissions assigned to the service account
- Enable VPC Service Controls to restrict API access if applicable
- Consider implementing Workload Identity Federation instead of service account keys