GCP IAM Service Account Key Deletion
Detection of Identity and Access Management (IAM) service account key deletion in Google Cloud Platform (GCP), potentially indicating malicious activity such as disrupting services or covering tracks after unauthorized access.
This alert identifies the deletion of an Identity and Access Management (IAM) service account key within Google Cloud Platform (GCP). Each service account relies on a pair of public/private RSA keys for authentication. Deleting a key prevents associated applications from accessing Google Cloud resources. While regular key rotation is a security best practice, unauthorized or unexpected key deletions can indicate malicious activity, such as attempts to disrupt services or conceal unauthorized access. This detection focuses on successful key deletions as logged in GCP audit logs.
Attack Chain
- An attacker gains unauthorized access to a GCP account through compromised credentials or a misconfigured IAM policy.
- The attacker enumerates existing service accounts to identify potential targets for disruption or privilege escalation.
- The attacker selects a service account with the intent to disrupt dependent applications or services.
- The attacker executes the
google.iam.admin.v*.DeleteServiceAccountKeyAPI call to delete the key associated with the targeted service account. - The GCP audit logs record a successful deletion event (
event.outcome: success). - Legitimate applications or services that rely on the deleted service account key fail to authenticate, leading to service disruption.
- The attacker may attempt to further compromise the environment or exfiltrate data, taking advantage of the chaos and confusion caused by the disruption.
Impact
Successful deletion of a service account key can disrupt critical applications and services relying on that key for authentication and authorization. The severity of the impact depends on the importance of the affected service account and the scope of its access. While the specific number of affected organizations is unknown, a successful attack could lead to temporary outages, data unavailability, and reputational damage.
Recommendation
- Deploy the Sigma rule
GCP IAM Service Account Key Deletionto your SIEM to detect unauthorized key deletions. - Investigate any alerts triggered by the
GCP IAM Service Account Key DeletionSigma rule, paying close attention to the actor, affected service account, and context of the deletion event. - Review IAM policies and service account permissions to minimize the blast radius of compromised service accounts.
- Enforce multi-factor authentication (MFA) for all GCP user accounts to reduce the risk of credential compromise.
- Implement regular service account key rotation policies and monitor for deviations from established baselines.
Detection coverage 2
GCP IAM Service Account Key Deletion
lowDetects the deletion of a Google Cloud Platform (GCP) IAM service account key.
GCP IAM Service Account Key Deletion - Non Success
infoDetects attempts to delete a Google Cloud Platform (GCP) IAM service account key, even if the deletion was not successful.
Detection queries are available on the platform. Get full rules →