GCP IAM Service Account Key Deletion

Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP). Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best practice is to rotate your service account keys regularly.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/21"
 3integration = ["gcp"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the deletion of an Identity and Access Management (IAM) service account key in Google Cloud Platform (GCP).
11Each service account is associated with two sets of public/private RSA key pairs that are used to authenticate. If a key
12is deleted, the application will no longer be able to access Google Cloud resources using that key. A security best
13practice is to rotate your service account keys regularly.
14"""
15false_positives = [
16    """
17    Service account key deletions may be done by a system or network administrator. Verify whether the user email,
18    resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or
19    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
20    """,
21]
22index = ["filebeat-*", "logs-gcp*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "GCP IAM Service Account Key Deletion"
26note = """## Triage and analysis
27
28> **Disclaimer**:
29> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
30
31### Investigating GCP IAM Service Account Key Deletion
32
33In GCP, IAM service account keys authenticate applications to access resources. Regular key rotation is crucial for security. Adversaries might delete keys to disrupt services or cover tracks after unauthorized access. The detection rule monitors audit logs for successful key deletions, flagging potential misuse or policy violations, aiding in timely investigation and response.
34
35### Possible investigation steps
36
37- Review the audit logs for the specific event.action: google.iam.admin.v*.DeleteServiceAccountKey to identify the service account key that was deleted.
38- Check the event.outcome: success to confirm the key deletion was successful and not an attempted action.
39- Identify the user or service account responsible for the deletion by examining the actor information in the audit logs.
40- Investigate the context around the deletion event, including the timestamp and any preceding or subsequent actions in the logs, to understand the sequence of events.
41- Verify if the key deletion aligns with the organization's key rotation policy or if it appears suspicious or unauthorized.
42- Assess the impact of the key deletion on applications or services that rely on the affected service account for authentication.
43- If unauthorized activity is suspected, initiate a broader investigation into potential unauthorized access or other malicious activities involving the affected service account.
44
45### False positive analysis
46
47- Routine key rotation activities by administrators can trigger alerts. To manage this, establish a baseline of expected key rotation schedules and exclude these from alerts.
48- Automated scripts or tools that perform regular maintenance and key management might cause false positives. Identify these scripts and whitelist their actions in the monitoring system.
49- Service account keys associated with non-critical or test environments may be deleted frequently as part of normal operations. Consider excluding these environments from the alerting criteria to reduce noise.
50- Temporary service accounts used for short-term projects or testing may have keys deleted as part of their lifecycle. Document these accounts and adjust the detection rule to ignore deletions from these specific accounts.
51
52### Response and remediation
53
54- Immediately revoke any remaining access for the compromised service account to prevent further unauthorized access to Google Cloud resources.
55- Investigate the audit logs to identify any unauthorized actions performed using the deleted key and assess the impact on affected resources.
56- Recreate the deleted service account key if necessary, ensuring that the new key is securely stored and access is restricted to authorized personnel only.
57- Implement additional monitoring on the affected service account to detect any further suspicious activities or unauthorized access attempts.
58- Escalate the incident to the security operations team for a comprehensive review and to determine if further investigation or response is required.
59- Review and update the key rotation policy to ensure that service account keys are rotated more frequently and securely managed to prevent similar incidents in the future.
60
61## Setup
62
63The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
64references = [
65    "https://cloud.google.com/iam/docs/service-accounts",
66    "https://cloud.google.com/iam/docs/creating-managing-service-account-keys",
67]
68risk_score = 21
69rule_id = "9890ee61-d061-403d-9bf6-64934c51f638"
70severity = "low"
71tags = [
72    "Domain: Cloud",
73    "Data Source: GCP",
74    "Data Source: Google Cloud Platform",
75    "Use Case: Identity and Access Audit",
76    "Tactic: Persistence",
77    "Resources: Investigation Guide",
78]
79timestamp_override = "event.ingested"
80type = "query"
81
82query = '''
83event.dataset:gcp.audit and event.action:google.iam.admin.v*.DeleteServiceAccountKey and event.outcome:success
84'''
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1098"
91name = "Account Manipulation"
92reference = "https://attack.mitre.org/techniques/T1098/"
93
94
95[rule.threat.tactic]
96id = "TA0003"
97name = "Persistence"
98reference = "https://attack.mitre.org/tactics/TA0003/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

In GCP, IAM service account keys authenticate applications to access resources. Regular key rotation is crucial for security. Adversaries might delete keys to disrupt services or cover tracks after unauthorized access. The detection rule monitors audit logs for successful key deletions, flagging potential misuse or policy violations, aiding in timely investigation and response.

  • Review the audit logs for the specific event.action: google.iam.admin.v*.DeleteServiceAccountKey to identify the service account key that was deleted.
  • Check the event.outcome: success to confirm the key deletion was successful and not an attempted action.
  • Identify the user or service account responsible for the deletion by examining the actor information in the audit logs.
  • Investigate the context around the deletion event, including the timestamp and any preceding or subsequent actions in the logs, to understand the sequence of events.
  • Verify if the key deletion aligns with the organization's key rotation policy or if it appears suspicious or unauthorized.
  • Assess the impact of the key deletion on applications or services that rely on the affected service account for authentication.
  • If unauthorized activity is suspected, initiate a broader investigation into potential unauthorized access or other malicious activities involving the affected service account.
  • Routine key rotation activities by administrators can trigger alerts. To manage this, establish a baseline of expected key rotation schedules and exclude these from alerts.
  • Automated scripts or tools that perform regular maintenance and key management might cause false positives. Identify these scripts and whitelist their actions in the monitoring system.
  • Service account keys associated with non-critical or test environments may be deleted frequently as part of normal operations. Consider excluding these environments from the alerting criteria to reduce noise.
  • Temporary service accounts used for short-term projects or testing may have keys deleted as part of their lifecycle. Document these accounts and adjust the detection rule to ignore deletions from these specific accounts.
  • Immediately revoke any remaining access for the compromised service account to prevent further unauthorized access to Google Cloud resources.
  • Investigate the audit logs to identify any unauthorized actions performed using the deleted key and assess the impact on affected resources.
  • Recreate the deleted service account key if necessary, ensuring that the new key is securely stored and access is restricted to authorized personnel only.
  • Implement additional monitoring on the affected service account to detect any further suspicious activities or unauthorized access attempts.
  • Escalate the incident to the security operations team for a comprehensive review and to determine if further investigation or response is required.
  • Review and update the key rotation policy to ensure that service account keys are rotated more frequently and securely managed to prevent similar incidents in the future.

The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top