English
Deutsch
Español
Español – América Latina
Français
Indonesia
Italiano
Português
Português – Brasil
中文 – 简体
中文 – 繁體
日本語
한국어

Console

Contact Us Start free

IAM threat findings

Security Command Center analyzes various logs to find potentially compromised IAM principals and other threats that can have cross-cutting impact across various resources in your cloud environment.

The following log-based detections are available with Event Threat Detection:

Defense Evasion: Modify VPC Service Control

Defense Evasion: Organization-Level Service Account Token Creator Role Added

Defense Evasion: Project-Level Service Account Token Creator Role Added

Discovery: Information Gathering Tool Used

Discovery: Service Account Self-Investigation

Discovery: Unauthorized Service Account API Call

Impact: Billing Disabled

Impact: Billing Disabled

Impact: Service API Disabled

Initial Access: Dormant Service Account Action

Initial Access: Dormant Service Account Key Created

Initial Access: Excessive Permission Denied Actions

Persistence: IAM Anomalous Grant

Persistence: New API Method

Persistence: New Geography

Persistence: New User Agent

Persistence: Service Account Key Created

Persistence: Unmanaged Account Granted Sensitive Role

Privilege Escalation: Anomalous Impersonation of Service Account for Admin Activity

Privilege Escalation: Anomalous Multistep Service Account Delegation for Admin Activity

Privilege Escalation: Anomalous Multistep Service Account Delegation for Data Access

Privilege Escalation: Anomalous Service Account Impersonator for Admin Activity

Privilege Escalation: Anomalous Service Account Impersonator for Data Access

Privilege Escalation: Dormant Service Account Granted Sensitive Role

Privilege Escalation: External Member Added To Privileged Group

Privilege Escalation: Impersonation Role Granted For Dormant Service Account

Privilege Escalation: New Service Account is Owner or Editor

Privilege Escalation: Privileged Group Opened To Public

Privilege Escalation: Sensitive Role Granted To Hybrid Group

Privilege Escalation: Suspicious Cross-Project Permission Use

Privilege Escalation: Suspicious Token Generation

Privilege Escalation: Suspicious Token Generation

Privilege Escalation: Suspicious Token Generation

Privilege Escalation: Suspicious Token Generation

Resource Development: Offensive Security Distro Activity

Initial Access: Leaked Service Account Key Used

Account has leaked credentials

Defense Evasion: Organization Policy Changed

Defense Evasion: Remove Billing Admin

Persistence: Add Sensitive Role

Persistence: Project SSH Key Added

What's next

Learn about Event Threat Detection.
Refer to the Threat findings index.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.