Detection: Compute Disk IAM Policy Set

Overview

Detect when a Compute disk IAM policy was set. Unauthorized changes can expose disks to potential security risks. Monitoring such updates helps enforce secure access controls.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.compute_disk_iam_policy_set

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.compute_disk_iam_policy_set --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
operation as operation_src,
resource as resource_src,
*
exclude operation, resource

from
  gcp_audit_log
where
  method_name ilike '%.compute.disks.setiampolicy'
  and severity != 'Error'
-- TODO: Do we need to check operation?
-- and (operation_src is null or operation_src.last = true)

order by
  timestamp desc;

Detection: Compute Disk IAM Policy Set

Overview

Usage

SQL

Tags