GCP Service Account Logged In From New Source
This alert occurs when Lacework detects a service account has logged in from a new source for the first time.
Why this Alert is Important
Service accounts are used by applications and processes to access GCP resources. If a service account is accessed from a new source that hasn't been previously authorized, it could mean that an attacker has gained access to the credentials and is attempting to use them to gain unauthorized access to GCP resources.
Investigation
If you suspect that a service account in your GCP project has been compromised, consider the following steps for your investigation:
- Check the audit logs for when the service account was accessed, what actions were performed, and from which IP address or source. You can use Cloud Logging to view your audit logs and search for any suspicious activity related to the service account.
- Review IAM permissions to confirm the service account has only the necessary permissions to perform its intended functions. Check for any unexpected changes to the service account's permissions, such as additional roles or permissions that could indicate that the service account has been compromised.
- Look for any unusual activity related to the service account, such as unexpected API calls, failed authentication attempts, or data exfiltration.
- Disable the service account.
- Investigate the source of the compromise, such as phishing attempts, password leaks, or vulnerabilities in the service account's configuration.
- Reset credentials.
- Monitor for further signs of compromise.
Resolution
After identifying that a service account in GCP has been compromised, it is important to take immediate action to prevent further damage. Here are some steps you can take to resolve the issue:
- Disable the service account. This can be done by going to the IAM & Admin page in the GCP console, locating the compromised service account and clicking Disable.
- If the service account was used to generate access tokens, you should revoke them immediately to prevent further access. You can do this by going to the APIs & Services page in the GCP console, selecting Credentials and then revoking any access tokens associated with the compromised service account. Review the audit logs and any other relevant data to determine how the account was accessed and what actions were taken.
- Reset any affected credentials. If the compromised service account had access to any sensitive data or resources, you should reset any credentials or passwords associated with those resources to prevent further unauthorized access.
- Implement additional security measures such as multi-factor authentication or access controls to prevent similar incidents from happening in the future.
- Monitor for further suspicious activity.