GCP IAM Role Deletion
Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM role to inhibit access to accounts utilized by legitimate users.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/22"
3integration = ["gcp"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an Identity and Access Management (IAM) role deletion in Google Cloud Platform (GCP). A role contains a set
11of permissions that allows you to perform specific actions on Google Cloud resources. An adversary may delete an IAM
12role to inhibit access to accounts utilized by legitimate users.
13"""
14false_positives = [
15 """
16 Role deletions may be done by a system or network administrator. Verify whether the user email, resource name,
17 and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be
18 investigated. If known behavior is causing false positives, it can be exempted from the rule.
19 """,
20]
21index = ["filebeat-*", "logs-gcp*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "GCP IAM Role Deletion"
25note = """## Triage and analysis
26
27> **Disclaimer**:
28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
29
30### Investigating GCP IAM Role Deletion
31
32Google Cloud Platform's IAM roles define permissions for actions on resources, crucial for managing access. Adversaries might delete roles to disrupt legitimate user access, hindering operations. The detection rule monitors audit logs for successful role deletions, signaling potential unauthorized access removal, thus aiding in identifying and mitigating such security threats.
33
34### Possible investigation steps
35
36- Review the audit logs for the specific event.action:google.iam.admin.v*.DeleteRole to identify the exact role that was deleted and the associated project or resource.
37- Identify the user or service account responsible for the deletion by examining the actor information in the audit logs.
38- Check the event.timestamp to determine when the role deletion occurred and correlate it with any other suspicious activities around the same time.
39- Investigate the event.outcome:success to confirm that the role deletion was completed successfully and assess the potential impact on access and operations.
40- Analyze the context of the deletion by reviewing recent changes or activities in the project or organization to understand if the deletion was part of a legitimate change or an unauthorized action.
41- Contact the user or team responsible for the project to verify if the role deletion was intentional and authorized, and gather additional context if needed.
42
43### False positive analysis
44
45- Routine administrative actions may trigger alerts when roles are deleted as part of regular maintenance or restructuring. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
46- Automated scripts or tools that manage IAM roles might cause false positives if they delete roles as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags.
47- Deletion of temporary or test roles used in development environments can be mistaken for malicious activity. Implement filters to exclude actions within designated development projects or environments.
48- Changes in organizational structure or policy might necessitate role deletions, which could be misinterpreted as threats. Document and communicate these changes to the security team to adjust monitoring rules accordingly.
49- Third-party integrations or services that manage IAM roles could inadvertently cause false positives. Ensure these services are properly documented and their actions are whitelisted if deemed non-threatening.
50
51### Response and remediation
52
53- Immediately revoke any active sessions and credentials associated with the deleted IAM role to prevent unauthorized access.
54- Restore the deleted IAM role from a backup or recreate it with the same permissions to ensure legitimate users regain access.
55- Conduct a thorough review of recent IAM activity logs to identify any unauthorized changes or suspicious activities related to IAM roles.
56- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
57- Implement additional monitoring on IAM role changes to detect and alert on any future unauthorized deletions promptly.
58- Review and tighten IAM role permissions to ensure the principle of least privilege is enforced, reducing the risk of similar incidents.
59- Consider enabling additional security features such as multi-factor authentication (MFA) for accounts with permissions to modify IAM roles.
60
61## Setup
62
63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = ["https://cloud.google.com/iam/docs/understanding-roles"]
65risk_score = 21
66rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd"
67severity = "low"
68tags = [
69 "Domain: Cloud",
70 "Data Source: GCP",
71 "Data Source: Google Cloud Platform",
72 "Use Case: Identity and Access Audit",
73 "Tactic: Impact",
74 "Resources: Investigation Guide",
75]
76timestamp_override = "event.ingested"
77type = "query"
78
79query = '''
80event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteRole and event.outcome:success
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1531"
88name = "Account Access Removal"
89reference = "https://attack.mitre.org/techniques/T1531/"
90
91
92[rule.threat.tactic]
93id = "TA0040"
94name = "Impact"
95reference = "https://attack.mitre.org/tactics/TA0040/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating GCP IAM Role Deletion
Google Cloud Platform's IAM roles define permissions for actions on resources, crucial for managing access. Adversaries might delete roles to disrupt legitimate user access, hindering operations. The detection rule monitors audit logs for successful role deletions, signaling potential unauthorized access removal, thus aiding in identifying and mitigating such security threats.
Possible investigation steps
- Review the audit logs for the specific event.action:google.iam.admin.v*.DeleteRole to identify the exact role that was deleted and the associated project or resource.
- Identify the user or service account responsible for the deletion by examining the actor information in the audit logs.
- Check the event.timestamp to determine when the role deletion occurred and correlate it with any other suspicious activities around the same time.
- Investigate the event.outcome:success to confirm that the role deletion was completed successfully and assess the potential impact on access and operations.
- Analyze the context of the deletion by reviewing recent changes or activities in the project or organization to understand if the deletion was part of a legitimate change or an unauthorized action.
- Contact the user or team responsible for the project to verify if the role deletion was intentional and authorized, and gather additional context if needed.
False positive analysis
- Routine administrative actions may trigger alerts when roles are deleted as part of regular maintenance or restructuring. To manage this, create exceptions for known administrative accounts or scheduled maintenance windows.
- Automated scripts or tools that manage IAM roles might cause false positives if they delete roles as part of their operation. Identify these scripts and exclude their actions from triggering alerts by using specific service accounts or tags.
- Deletion of temporary or test roles used in development environments can be mistaken for malicious activity. Implement filters to exclude actions within designated development projects or environments.
- Changes in organizational structure or policy might necessitate role deletions, which could be misinterpreted as threats. Document and communicate these changes to the security team to adjust monitoring rules accordingly.
- Third-party integrations or services that manage IAM roles could inadvertently cause false positives. Ensure these services are properly documented and their actions are whitelisted if deemed non-threatening.
Response and remediation
- Immediately revoke any active sessions and credentials associated with the deleted IAM role to prevent unauthorized access.
- Restore the deleted IAM role from a backup or recreate it with the same permissions to ensure legitimate users regain access.
- Conduct a thorough review of recent IAM activity logs to identify any unauthorized changes or suspicious activities related to IAM roles.
- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
- Implement additional monitoring on IAM role changes to detect and alert on any future unauthorized deletions promptly.
- Review and tighten IAM role permissions to ensure the principle of least privilege is enforced, reducing the risk of similar incidents.
- Consider enabling additional security features such as multi-factor authentication (MFA) for accounts with permissions to modify IAM roles.
Setup
The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- GCP Service Account Deletion
- GCP Service Account Disabled
- GCP IAM Custom Role Creation
- GCP IAM Service Account Key Deletion
- GCP Service Account Creation