Detection: IAM Owner Role Policy Set
Overview
Detect when an IAM policy granting the owner role was set. Assigning the owner role provides full access to resources, which can expose systems to security risks if misused. Monitoring these actions ensures secure role assignments.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.iam_owner_role_policy_setSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.iam_owner_role_policy_set --shareSQL
This detection uses a named query:
with role_bindings as( select *, unnest(from_json((request -> 'policy' -> 'bindings'), '["JSON"]')) as bindings from gcp_audit_log where method_name ilike 'google.iam.admin.v%.setiampolicy')select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row data*
from role_bindingswhere (bindings ->> 'role') = 'roles/owner' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;