Detect GCP IAM Configuration Changes

Trend Micro Cloud One™ – Conformity Real-Time Threat Monitoring and Analysis (RTMA) engine has detected configuration changes made at the Identity and Access Management (IAM) service level, in your GCP account.
Identity and Access Management (IAM) is an enterprise-grade access control service that enables you to authorize who can take action on specific GCP resources, giving you full control and visibility to manage your Google Cloud resources centrally. With IAM, you manage access control by defining who has what access to which resource.
The IAM service is configured to write audit logs that help you find who used your IAM resources, where and when. Trend Micro Cloud One™ – Conformity RTMA uses the audit information collected by Identity and Access Management (IAM) to process and send notifications about the configurations changes made at the IAM service level.
The activity detected by the Conformity RTMA feature could be, for example, a user action initiated through the Google Cloud Console or an API request initiated programmatically using gcloud CLI, that triggers any of the following operational events:

• "serviceAccounts.create" - Creates a service account. An IAM service account is a special type of account used by an application or a Google Cloud compute resource such as a virtual machine (VM) instance, rather than a person. Applications can use GCP service accounts to call Google Cloud APIs.
• "serviceAccounts.patch" - Patches an IAM service account.
• "serviceAccounts.setIamPolicy" - Sets the IAM policy that is associated with a service account. The IAM policy can be used to grant or revoke access to your service account.
• "serviceAccounts.keys.create" - Creates a service account key. Public/private key pairs provide a secure way to establish the identity of a service account.
• "serviceAccounts.keys.upload" - Uploads the public key portion of a key pair that you manage, and associates the public key with a service account.

Identity and Access Management (IAM) can be used to control which users have permission to access your Google Cloud resources and the type of actions they can perform on these resources. If a service account or a service account key is created and/or modified by inexperienced personnel, it can allow attackers to identify possible vulnerabilities and attempt to exploit them to their own advantage. To adhere to Google Cloud security best practices and implement the Principle of Least Privilege (i.e. the practice of providing every user/process/system the minimal amount of access required to successfully perform its tasks), Trend Micro Cloud One™ – Conformity strongly recommends that you avoid as much as possible to provide GCP users (except administrators) the permission to perform IAM configuration changes within your GCP account.
The communication channels for sending RTMA notifications can be quickly configured in your Conformity account. The list of supported communication channels that you can use to receive notification alerts for IAM configuration changes are SMS, Email, Slack, PagerDuty, ServiceNow, and Zendesk.

This rule resolution is part of the Conformity solution.