Detection: IAM Service Account Token Creator Role Assigned
Overview
Detect when the roles/iam.serviceAccountTokenCreator role was assigned in GCP. This role allows the creation of access tokens and impersonation of service accounts, which can lead to unauthorized access if assigned improperly. Monitoring these events ensures secure access management and prevents privilege escalation.
References:
Usage
Run the detection in your terminal:
powerpipe detection run gcp_audit_log_detections.detection.iam_service_account_token_creator_role_assignedSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe detection run gcp_audit_log_detections.detection.iam_service_account_token_creator_role_assigned --shareSQL
This detection uses a named query:
with role_bindings as( select *, unnest(from_json((request -> 'policy' -> 'bindings'), '["JSON"]')) as bindings from gcp_audit_log where method_name ilike 'google.iam.admin.v%.setiampolicy')select tp_timestamp as timestamp,method_name as operation,resource_name as resource,authentication_info.principal_email as actor,tp_source_ip as source_ip,tp_index as project,tp_id as source_id,-- Create new aliases to preserve original row dataoperation as operation_src,resource as resource_src,*exclude operation, resource
from role_bindingswhere (bindings ->> 'role') like '%roles/iam.serviceAccountTokenCreator%' and severity != 'Error'
order by timestamp desc;