Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Detect GCP IAM Configuration Changes

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: Low (generally tolerable risk)
Rule ID: CloudIAM-014

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Identity and Access Management (IAM) service level, in your GCP account.
Identity and Access Management (IAM) is an enterprise-grade access control service that enables you to authorize who can take action on specific GCP resources, giving you full control and visibility to manage your Google Cloud resources centrally. With IAM, you manage access control by defining who has what access to which resource.
The IAM service is configured to write audit logs that help you find who used your IAM resources, where and when. Trend Micro Cloud One™ – Conformity RTMA uses the audit information collected by Identity and Access Management (IAM) to process and send notifications about the configurations changes made at the IAM service level.
The activity detected by the Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

  • "serviceAccounts.create" - Creates a service account. An IAM service account is a special type of account used by an application or a Google Cloud compute resource such as a virtual machine (VM) instance, rather than a person. Applications can use GCP service accounts to call Google Cloud APIs.
  • "serviceAccounts.patch" - Patches an IAM service account.
  • "serviceAccounts.setIamPolicy" - Sets the IAM policy that is associated with a service account. The IAM policy can be used to grant or revoke access to your service account.
  • "serviceAccounts.keys.create" - Creates a service account key. Public/private key pairs provide a secure way to establish the identity of a service account.
  • "serviceAccounts.keys.upload" - Uploads the public key portion of a key pair that you manage, and associates the public key with a service account.

Identity and Access Management (IAM) can be used to control which users have permission to access your Google Cloud resources and the type of actions they can perform on these resources. If a service account or a service account key is created and/or modified by inexperienced personnel, it can allow attackers to identify possible vulnerabilities and attempt to exploit them to their own advantage. To adhere to Google Cloud security best practices and implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to successfully perform its tasks), Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except administrators) the permission to perform IAM configuration changes within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for IAM configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.

Security
Cost
optimisation

Because Identity and Access Management (IAM) is the main point of access control for resources within your Google Cloud Platform (GCP) account, monitoring IAM configuration changes is vital for keeping your cloud environment secure.
As your organization grows and more people get involved in the operational aspect of the cloud environment administration, the tendency is to create more IAM identities than required, and this poses an operational risk for your GCP environment.
As a security best practice, you need to be aware of any configuration change made at the IAM service level. Using Trend Micro Cloud One™ – Conformity RTMA to monitor IAM configuration changes can help you prevent any accidental or intentional modifications that may lead to severe security breaches, data leaks, data loss, or unexpected charges on your GCP bill.


References

Publication date Dec 14, 2022

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Detect GCP IAM Configuration Changes

Risk Level: Low