Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/tailpipe-mod-gcp-audit-log-detections
Overview
3Dashboards
40Benchmarks
47Queries
1Variables
GitHub

Detection: IAM Service Account Key Created

Overview

Detect when an IAM service account key was created in GCP. Service account keys provide access to GCP resources and, if mismanaged or exposed, can lead to unauthorized access or data breaches. Monitoring these events ensures secure key management and helps prevent potential security vulnerabilities.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.iam_service_account_key_created

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.iam_service_account_key_created --share

SQL

This detection uses a named query:

select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
*


from
  gcp_audit_log
where
  method_name ilike 'google.iam.admin.v%.createserviceaccountkey'
  and severity != 'Error'
-- TODO: Do we need to check operation?
-- and (operation_src is null or operation_src.last = true)


order by
  timestamp desc;

Tags

category = Detection
mitre_attack_ids = TA0001:T1078,TA0003:T1098,TA0003:T1136
plugin = gcp
service = GCP/IAM