Skip to main content

New GCP Region

This alert occurs when Lacework detects usage from a new region.

Why this Alert is Important

A region is a specific geographic location where Google has data centers that can be used to host your resources. Each region consists of one or more zones, isolated locations within the region designed to be independent and fault-tolerant.

When creating resources in GCP, such as virtual machines or storage buckets, you typically choose a specific region where the resources will be located. The region you select determines the physical location of your resources and can affect their performance and availability.

The use of a new region can indicate a security concern, such as an unauthorized access attempt or a potential data breach.

Investigation

If you suspect a malicious new region has been added to your GCP account, you should investigate the situation immediately to identify potential security threats. Here are some steps you can take to investigate the incident:

  1. Review activity logs for who has created or modified resources in your environment and any activity related to creating or using resources in the new region.
  2. Review network logs for any suspicious activity related to the new region, such as unusual traffic patterns or attempts to access resources from unfamiliar IP addresses.
  3. Analyze resource configurations to identify any unauthorized changes or misconfigurations that may have been made.
  4. Check access controls for any resources in the new region to ensure that only authorized users and services have access.
  5. Perform a security assessment to identify any vulnerabilities or weaknesses that may have been exploited to add the new region.

Resolution

After identifying an unauthorized new GCP region, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:

  1. Isolate the affected resources immediately to prevent any further unauthorized access or modification.
  2. Investigate the source of the threat to identify any vulnerabilities or weaknesses that may have been exploited.
  3. Remove the new region from your environment immediately to prevent further unauthorized access. This may involve deleting any resources that were created in the new region.
  4. Review access controls to ensure that only authorized users and services have access to your GCP environment and that access controls are properly configured.
  5. Implement security measures to prevent similar incidents in the future, such as increasing monitoring and alerting, implementing multi-factor authentication, and improving security policies and procedures.