Detection: Compute Snapshot IAM Policy Set
Overview
Detect when a Compute snapshot IAM policy was set. Unauthorized changes can expose sensitive backups to potential security risks. Monitoring such updates ensures proper access management.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.compute_snapshot_iam_policy_setSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.compute_snapshot_iam_policy_set --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from gcp_audit_logwhere method_name ilike '%.compute.snapshots.setiampolicy' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;