GCP IAM Custom Role Creation
Detection of Identity and Access Management (IAM) custom role creation in Google Cloud Platform (GCP), which can indicate potential privilege escalation or persistence by adversaries creating roles with excessive permissions.
This threat brief focuses on the detection of IAM custom role creation within Google Cloud Platform (GCP). IAM custom roles are user-defined roles that bundle one or more supported permissions, allowing for tailored access management. While legitimate use cases exist, adversaries can exploit this feature by creating roles with excessive permissions, potentially leading to privilege escalation or persistence. This activity can be used to maintain unauthorized access and control within the GCP environment. Defenders should monitor for anomalous role creation activity, especially roles with broad or unusual permission sets, as these could signal malicious intent. The rule is designed to work with GCP Fleet integration, Filebeat module, or similarly structured data.
Attack Chain
- An attacker gains initial access to a GCP account, possibly through compromised credentials or exploiting a vulnerability.
- The attacker authenticates to the GCP environment using valid credentials (T1078).
- The attacker explores existing IAM roles and permissions to identify potential escalation paths.
- The attacker crafts a custom IAM role with overly permissive privileges (T1098, T1098.003), granting themselves access to critical resources.
- The attacker creates the custom IAM role using the
google.iam.admin.v*.CreateRoleAPI call. - The event is logged as a successful operation (
event.outcome:success) in the GCP audit logs. - The attacker assigns the newly created custom role to a compromised or attacker-controlled user or service account.
- The attacker leverages the escalated privileges to access sensitive data, modify configurations, or deploy malicious workloads, achieving persistence or further compromising the environment.
Impact
Successful exploitation can lead to significant damage, including unauthorized access to sensitive data, compromised systems, and potential data exfiltration. The creation of custom roles with excessive permissions can enable adversaries to maintain persistent access to the GCP environment, escalate privileges, and bypass existing security controls. Organizations may experience data breaches, financial losses, and reputational damage.
Recommendation
- Deploy the provided Sigma rules to your SIEM to detect suspicious IAM custom role creation events in GCP (logsource: gcp.audit).
- Review and audit existing IAM roles and permissions regularly to identify and remediate overly permissive configurations.
- Implement the principle of least privilege when assigning permissions to IAM roles, both built-in and custom.
- Monitor GCP audit logs for
google.iam.admin.v*.CreateRoleevents and investigate any unexpected or unauthorized role creation activity. - Ensure that only authorized personnel have the necessary permissions to create custom IAM roles, and implement controls to prevent unauthorized role creation.
- Establish a baseline of expected role creation activity and investigate any deviations from this baseline.
Detection coverage 3
GCP IAM Custom Role Creation
mediumDetects the creation of IAM custom roles in GCP, which may indicate potential privilege escalation or persistence.
GCP IAM Custom Role with Wildcard Permissions
highDetects the creation of IAM custom roles that include wildcard permissions, which are overly permissive and should be avoided.
GCP IAM Custom Role Creation by Uncommon Identity
mediumDetects IAM custom role creation from unusual users or service accounts, potentially indicating compromised accounts or malicious activity.
Detection queries are available on the platform. Get full rules →