Detection: Compute Image IAM Policy Set
Overview
Detect when a Compute image IAM policy was set. These changes can expose sensitive images to unauthorized access, leading to potential security risks. Monitoring such updates ensures proper access controls.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.compute_image_iam_policy_setSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.compute_image_iam_policy_set --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from gcp_audit_logwhere method_name ilike '%.compute.images.setiampolicy' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;