This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
Someone created an RBAC ClusterRoleBinding that references the default
system:controller:clusterrole-aggregation-controller ClusterRole. This
default ClusterRole has the escalate verb, which allows subjects to modify
the privileges of their own roles, allowing for privilege escalation. For more
details, see the log message for this alert.
- Review any
ClusterRoleBindingthat references thesystem:controller:clusterrole-aggregation-controllerClusterRole. - Review any modifications to the
system:controller:clusterrole-aggregation-controllerClusterRole. - Determine whether there are other signs of malicious activity by the
principal who created the
ClusterRoleBindingin the audit logs in Cloud Logging.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.