This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
The AlloyDB for PostgreSQL database superuser account (postgres)
wrote to user tables. The superuser (a role with very broad access) generally
shouldn't be used to write to user tables. A user account with more limited access
should be used for normal daily activity. When a superuser writes to a user
table, that could indicate that an attacker has escalated privileges or has
compromised the default database user and is modifying data. It could also
indicate normal but unsafe practices.
To respond to this finding, do the following:
Step 1: Review finding details
- Open an
Privilege Escalation: AlloyDB Database Superuser Writes to User Tablesfinding, as directed in Reviewing findings. On the Summary tab of the finding details panel, review the information in the following sections:
- What was detected, especially the following fields:
- Database display name: the name of the database in the AlloyDB for PostgreSQL instance that was affected.
- Database user name: the superuser.
- Database query: the SQL query executed while writing to user tables.
- Affected resource, especially the following fields:
- Resource full name: the resource name of the AlloyDB for PostgreSQL instance that was affected.
- Parent full name: the resource name of the AlloyDB for PostgreSQL instance.
- Project full name: the Google Cloud project that contains the AlloyDB for PostgreSQL instance.
- Related links, especially the following fields:
- Cloud Logging URI: link to Logging entries.
- MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
- What was detected, especially the following fields:
To see the complete JSON for the finding, click the JSON tab.
Step 2: Check logs
- In the Google Cloud console, go to Logs Explorer by clicking
the link in
cloudLoggingQueryURI(from Step 1). The Logs Explorer page includes all logs related to the relevant AlloyDB for PostgreSQL instance. - Check the logs for PostgreSQL pgaudit logs, which contain the queries
executed by the superuser, by using the following filters:
protoPayload.request.user="postgres"
Step 3: Research attack and response methods
- Review the MITRE ATT&CK framework entry for this finding type: Exfiltration Over Web Service.
- To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.
Step 4: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
- Review the users allowed to connect to the database.
- Consider changing the password for the superuser.
- Consider creating a new, limited access user
for the different types of queries used on the instance.
- Grant the new user only the necessary permissions needed to execute their queries.
- Update the credentials for the clients that connect to the AlloyDB for PostgreSQL instance
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.