Detection: IAM Service Account Token Creator Role Assigned

Overview

Detect when the roles/iam.serviceAccountTokenCreator role was assigned in GCP. This role allows the creation of access tokens and impersonation of service accounts, which can lead to unauthorized access if assigned improperly. Monitoring these events ensures secure access management and prevents privilege escalation.

References:

Usage

Run the detection in your terminal:

powerpipe detection run gcp_audit_log_detections.detection.iam_service_account_token_creator_role_assigned

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe detection run gcp_audit_log_detections.detection.iam_service_account_token_creator_role_assigned --share

SQL

This detection uses a named query:

with role_bindings as(
  select
    *,
    unnest(from_json((request -> 'policy' -> 'bindings'), '["JSON"]')) as bindings
  from
    gcp_audit_log
  where
    method_name ilike 'google.iam.admin.v%.setiampolicy'
)
select
  tp_timestamp as timestamp,
method_name as operation,
resource_name as resource,
authentication_info.principal_email as actor,
tp_source_ip as source_ip,
tp_index as project,
tp_id as source_id,
-- Create new aliases to preserve original row data
*

from
  role_bindings
where
  (bindings ->> 'role') like '%roles/iam.serviceAccountTokenCreator%'
  and severity != 'Error'
-- TODO: Do we need to check operation?
-- and (operation_src is null or operation_src.last = true)

order by
  timestamp desc;

Detection: IAM Service Account Token Creator Role Assigned

Overview

Usage

SQL

Tags