Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-gcp-audit-log-detections
Overview
3Dashboards
40Benchmarks
47Queries
1Variables
GitHub

Detection: Compute Disk IAM Policy Set

Overview

Detect when a Compute disk IAM policy was set. Unauthorized changes can expose disks to potential security risks. Monitoring such updates helps enforce secure access controls.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.compute_disk_iam_policy_set

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.compute_disk_iam_policy_set --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
operation as operation_src,
resource as resource_src,
*
exclude operation, resource


from
  gcp_audit_log
where
  method_name ilike '%.compute.disks.setiampolicy'
  and severity != 'Error'


order by
  timestamp desc;

Tags

category = Detection
folder = Compute
mitre_attack_ids = TA0005:T1578.005
plugin = gcp
service = GCP/Compute