Skip to main content

Service Called GCP API

This alert occurs when Lacework detects a user has accessed a GCP service via an API call.

Why this Alert is Important

API access can be a potential entry point for attackers to leverage to access sensitive data or perform unauthorized actions. Monitoring API access helps identify suspicious or unauthorized activities that may indicate a security breach.

Investigation

To investigate malicious service access using API calls in GCP, you can follow these steps:

  1. Check the audit logs to see which API calls were made by the service account in question. Look for any suspicious or unauthorized API calls.
  2. Determine if the attack was targeted toward a specific resource or is a widespread attack.
  3. Identify the source of the API call and investigate whether it was made from a legitimate service account. Check if the service account has appropriate permissions to make the API call.
  4. Determine the potential impact of the attack on your resources and data. Review any changes or modifications to your resources and investigate potential data breaches.
  5. Review your security controls and identify any potential vulnerabilities that may have allowed the attack to occur.

Resolution

To resolve unauthorized service access using API calls in GCP, you can follow these steps:

  1. Immediately revoke access to the service account that made the unauthorized API calls.
  2. Review the audit logs to determine the extent of the breach. Identify any resources that were accessed or modified by the unauthorized API calls.
  3. If any resources were modified or deleted due to the breach, restore them from backups.
  4. Review your security controls to identify weaknesses that may have allowed unauthorized access. Consider implementing additional security controls such as multi-factor authentication or stricter access controls.
  5. If the breach involves sensitive data, report it to the appropriate authorities following applicable laws and regulations.