This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A role-based access control (RBAC) ClusterRoleBinding object was created, adding the root-cluster-admin-binding behavior to anonymous users. Findings are classified as Low severity by default.
Detection service
How to respond
To respond to this finding, do the following:
Review finding details
Open the
Defense Evasion: Anonymous Sessions Granted Cluster Admin Accessfinding as directed in Reviewing findings. Review the details in the Summary and JSON tabs.Identify other findings that occurred at a similar time for this resource. Related findings might indicate that this activity was malicious, instead of a failure to follow best practices.
Review the settings of the affected resource.
Check the logs for the affected resource.
Research attack and response methods
Review the MITRE ATT&CK framework entry for this finding type: Defense Evasion: Anonymous Sessions Granted Cluster Admin Access.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.