Initial Access: Leaked Service Account Key Used

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

A leaked service account key was used to authenticate an action. In this context, a leaked service account key is one that was posted on the public internet. For example, service account keys are often mistakenly posted on public GitHub repository.

To respond to this finding, do the following:

Step 1: Review finding details

1. Open the Initial Access: Leaked Service Account Key Used finding, as directed in Reviewing findings.

2. In the finding details, on the Summary tab, note the values of following fields.

   Under What was detected:

   • Principal email: the service account used in this action
   • Service name: the API name of the Google Cloud service that was accessed by the service account
   • Method name: the method name of the action
   • Service account key name: the leaked service account key used to authenticate this action
   • Description: the description of what was detected, including the location on the public internet where the service account key can be found

   Under Affected resource:

   • Resource display name: the resource involved in the action

Step 2: Check logs

1. In the Google Cloud console, go to Logs Explorer by clicking the link in Cloud Logging URI.
2. On the Google Cloud console toolbar, select your project or organization.

3. On the page that loads, find related logs by using the following filter:

   • protoPayload.authenticationInfo.principalEmail="PRINCIPAL_EMAIL"
   • protoPayload.authenticationInfo.serviceAccountKeyName="SERVICE_ACCOUNT_KEY_NAME"

   Replace PRINCIPAL_EMAIL with the value that you noted in the Principal email field in the finding details. Replace SERVICE_ACCOUNT_KEY_NAME with the value that you noted in the Service account key name field in the finding details.

Step 3: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

• Revoke the service account key immediately in the Service Accounts page.
• Take down the web page or GitHub repository where the service account key is posted.
• Consider deleting the compromised service account.
• Rotate and delete all service account access keys for the potentially compromised project. After deletion, applications that use the service account for authentication lose access. Before deleting, your security team should identify all impacted applications and work with application owners to ensure business continuity.
• Work with your security team to identify unfamiliar resources, including Compute Engine instances, snapshots, service accounts, and IAM users. Delete resources not created with authorized accounts.
• Respond to any notifications from Cloud Customer Care.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.