This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Someone created an RBAC ClusterRole object that contains the bind, escalate, or
impersonate verbs. A subject that's bound to a role with these verbs can
impersonate other users with higher privileges, bind to additional Role
or ClusterRole objects that contain additional permissions, or modify their own
ClusterRole permissions. This might lead to those subjects gaining
cluster-admin privileges. For more details, see the log message for this
alert.
- Review the
ClusterRoleand associatedClusterRoleBindingsto check whether the subjects actually require these permissions. - If possible, avoid creating roles that involve the
bind,escalate, orimpersonateverbs. - Determine whether there are other signs of malicious activity by the principal in the audit logs in Cloud Logging.
- When assigning permissions in an RBAC role, use the principle of least privilege and grant the minimum permissions needed to perform a task. Using the principle of least privilege reduces the potential for privilege escalation if your cluster is compromised, and reduces the likelihood that excessive access results in a security incident.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.