Persistence: Unmanaged Account Granted Sensitive Role

This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.

Finding description

A sensitive role was granted to an unmanaged account. Unmanaged accounts can't be control by system administrators. For example, when the corresponding employee left the company, the administrator can't delete the account. Therefore, granting sensitive roles to unmanaged accounts creates a potential security risk for the organization.

To respond to this finding, do the following:

Step 1: Review finding details

1. Open the Persistence: Unmanaged Account Granted Sensitive Role finding, as directed in Reviewing findings.

2. In the finding details, on the Summary tab, note the values of following fields.

   Under What was detected:

   • Principal email: the user who conducted the granting action
   • Offending access grants.Principal name: the unmanaged account who receives the grant
   • Offending access grants.Role granted: the sensitive role granted

Step 2: Research attack and response methods

1. Contact the owner of the Principal email field. Confirm whether the legitimate owner conducted the action.
2. Check with the owner of the Offending access grants.Principal name field, understand the origin of the unmanaged account.

Step 3: Check logs

1. On the Summary tab of the finding details panel, under the Related links click the Cloud Logging URI link to open the Logs Explorer.

Step 4: Implement your response

The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.

• Contact the owner of the project where the action was taken.
• Remove the access of the owner of the Principal email if it is compromised.
• Remove the newly granted sensitive role from the unmanaged account.
• Consider convert the unmanaged account into managed account using the transfer tool, and move this account under the control of system administrators.

What's next

• Learn how to work with threat findings in Security Command Center.
• Refer to the Threat findings index.
• Learn how to review a finding through the Google Cloud console.
• Learn about the services that generate threat findings.