Service account self-investigation

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

A service account credential is being used to investigate the roles and permissions associated with that same service account. This finding indicates that service account credentials might be compromised and immediate action should be taken.

Step 1: Review finding details

  1. Open a Discovery: Service Account Self-Investigation finding, as directed in Reviewing finding details earlier on this page. The details panel for the finding opens to the Summary tab.

  2. On the Summary tab, review the information in the following sections:

    • What was detected, especially the following fields:
      • Severity: the risk level assigned to the finding. The severity is HIGH if the API call that triggered this finding was unauthorized—the service account doesn't have permission to query its own IAM permissions with the projects.getIamPolicy API.
      • Principal email: the potentially compromised service account.
      • Caller IP: the internal or external IP address
    • Affected resource, especially the following fields:
      • Resource full name:
      • Project full name: the project that contains the potentially leaked account credentials.
    • Related links, especially the following fields:
      • Cloud Logging URI: link to Logging entries.
      • MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
      • Related findings: links to any related findings.
    1. To see the complete JSON for the finding, click the JSON tab.

Step 2: Review project and service account permissions

  1. In the Google Cloud console, go to the IAM page.

    Go to IAM

  2. If necessary, select the project listed in the projectID field of the finding JSON.

  3. On the page that appears, in the Filter box, enter the account name listed in Principal email and check assigned permissions.

  4. In the Google Cloud console, go to the Service Accounts page.

    Go to Service Accounts

  5. On the page that appears, in the Filter box, enter the name of the compromised service account and check the service account's keys and key creation dates.

Step 3: Check logs

  1. On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.
  2. If necessary, select your project.
  3. On the page that loads, check logs for activity from new or updated IAM resources using the following filters:
    • proto_payload.method_name="google.iam.admin.v1.CreateServiceAccount"
    • protoPayload.methodName="SetIamPolicy"
    • protoPayload.authenticationInfo.principalEmail="principalEmail"

Step 4: Research attack and response methods

  1. Review the MITRE ATT&CK framework entry for this finding type: Permission Groups Discovery: Cloud Groups.
  2. To develop a response plan, combine your investigation results with MITRE research.

Step 5: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

  • Contact the owner of the project with the compromised account.
  • Delete the compromised service account and rotate and delete all service account access keys for the compromised project. After deletion, resources that use the service account for authentication lose access.
  • Delete project resources created by the compromised account, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users.

What's next