Skip to content

Files

Latest commit

 Cannot retrieve latest commit at this time.

History

History
93 lines (82 loc) · 2.71 KB

2.30.md

File metadata and controls

93 lines (82 loc) · 2.71 KB

2.30 - Service accounts or keys created by non-approved identity

Service accounts or service account keys created by non-approved identity e.g. manually by a user vs an automated workflow with a service account

Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

google.iam.admin.v1.CreateServiceAccountRequest

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "status": {
    },
    "authenticationInfo": {
      "principalEmail": "test@example.com",
      "principalSubject": "user:test@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "callerSuppliedUserAgent": "<redacted>",
      "requestAttributes": {
        "time": "2022-05-03T01:46:26.299551086Z",
        "auth": {
        }
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "iam.googleapis.com",
    "methodName": "google.iam.admin.v1.CreateServiceAccount",
    "authorizationInfo": [
      {
        "resource": "projects/1234",
        "permission": "iam.serviceAccounts.create",
        "granted": true,
        "resourceAttributes": {
        }
      }
    ],
    "resourceName": "projects/1234",
    "request": {
      "account_id": "sa-200",
      "@type": "type.googleapis.com/google.iam.admin.v1.CreateServiceAccountRequest",
      "name": "projects/1234",
      "service_account": {
      }
    },
    "response": {
      "unique_id": "1234567890123456789",
      "name": "projects/1234/serviceAccounts/sa-200@1234.iam.gserviceaccount.com",
      "project_id": "1234",
      "etag": "MDEwMjE5MjA=",
      "email": "sa-200@1234.iam.gserviceaccount.com",
      "@type": "type.googleapis.com/google.iam.admin.v1.ServiceAccount",
      "oauth2_client_id": "1234567890123456789"
    }
  },
  "insertId": "2ihezydi73o",
  "resource": {
    "type": "service_account",
    "labels": {
      "email_id": "sa-200@1234.iam.gserviceaccount.com",
      "project_id": "1234",
      "unique_id": "1234567890123456789"
    }
  },
  "timestamp": "2022-05-03T01:46:26.287102061Z",
  "severity": "NOTICE",
  "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2022-05-03T01:46:27.807874121Z"
}