Detection: IAM Service Account Created
Overview
Detect when an IAM service account was created in GCP. Service accounts are used by applications and services to access GCP resources, and unauthorized or unintended creation of service accounts can lead to privilege escalation or unauthorized access. Monitoring these events helps ensure proper governance and prevents security risks.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.iam_service_account_createdSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.iam_service_account_created --shareSQL
This detection uses a named query:
select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row dataoperation as operation_src,resource as resource_src,*exclude operation, resource
from gcp_audit_logwhere method_name ilike 'google.iam.admin.v%.createserviceaccount' and severity != 'Error'-- TODO: Do we need to check operation?-- and (operation_src is null or operation_src.last = true)
order by timestamp desc;