Google GCM Service Account
Service Name: Google Cloud Platform
Service Description: Google Cloud Platform (GCP) is a suite of cloud computing services that runs on the same infrastructure that Google uses internally for its end-user products, offering various services for computing, storage, networking, big data, machine learning and the Internet of Things (IoT).
Service Address: https://cloud.google.com/
GOOGLE GCM Service Account
- Validation Type: NHI Enriched
- IP Allow list: Does not exist
- Secret Access Scope: Grants access to Google Cloud Messaging (GCM) services and resources associated with the service account.
- Secret Revokement URL: https://console.cloud.google.com/iam- admin/serviceaccounts
- Secret Example:
{"type":"service_account","project_id":"my-project- 123456","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","pri vate_key":"-----BEGIN PRIVATE KEY----- \nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKj\nMzEf YyjiWA4R4/M2bS1GB4t7NXp98C3SC6dVMvDuictGeurT8jNbvJZHtCSuYEvu\nNMoSfm76oq FvAp8Gy0iz5sxjZmSnXyCdPEovGhLa0VzMaQ8s+CLOyS56YyCFGeJZ\n-----END PRIVATE KEY-----\n","client_email":"service-account@my-project- 123456.iam.gserviceaccount.com","client_id":"123456789012345678901","aut h_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https:// oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www. googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.goog leapis.com/robot/v1/metadata/x509/service-account%40my-project- 123456.iam.gserviceaccount.com"} - Suspicious Activity Investigation Instructions:
- Review Google Cloud audit logs for unauthorized API calls or resource access
- Check for unusual authentication events in the Google Cloud Console
- Examine service account usage patterns for anomalies
- Look for unexpected changes to service account permissions
- Monitor for unusual geographic access patterns
- Mitigation Instructions:
- Immediately disable the compromised service account in the Google Cloud Console
- Navigate to IAM & Admin > Service Accounts
- Select the compromised service account and click "Disable"
- Create a new service account with appropriate permissions
- Rotate all keys associated with the compromised service account
- Review and restrict the permissions granted to service accounts
- Enable audit logging for service account activities
- Consider implementing VPC Service Controls to restrict service account access