Skip to main content

Multiple denied GCP API calls requiring investigation

ID:gcp_access_denied
Data type:Google Cloud Platform
Severity:
Low
MITRE ATT&CK:TA0007:T1580

Description

AlphaSOC detected multiple GCP API calls denied with a ACCESS_DENIED status code (code 7), which may indicate unauthorized access attempts or misconfigurations. While occasional permission errors are common, repeated access denials may signal threat actors attempting to enumerate resources, test stolen credentials, escalate privileges, or exploit misconfigurations.

Impact

Multiple denied GCP API calls can indicate reconnaissance where threat actors probe the environment to map resources and identify security boundaries. Attackers leveraging compromised credentials with limited permissions often generate access denials while testing access scope and attempting privilege escalation. If successful, adversaries could gain unauthorized access to sensitive data, manipulate resources, disrupt services, or perform other unauthorized actions.

Severity

SeverityCondition
Low
Multiple denied GCP API calls requiring investigation

Investigation and Remediation

Review GCP audit logs for events with protoPayload.status.code equal to 7 (ACCESS_DENIED) and analyze protoPayload.methodName to identify attempted actions. Verify the principal that generated requests and check source IP address, user agent, and location. Compare attempted actions against the principal's intended role to assess whether denials represent legitimate misconfiguration or malicious activity.

If activity appears malicious, disable compromised credentials and rotate service account keys. Examine other activities by the same principal for successful unauthorized actions or privilege escalation attempts. For legitimate misconfigurations, grant appropriate IAM permissions following least privilege principles.

Known False Positives

  • Newly deployed applications or services attempting legitimate actions with incomplete or incorrect IAM permissions
  • Automated scripts or CI/CD pipelines using outdated credentials or misconfigured service accounts
  • Users attempting to access resources after recent IAM policy changes or permission revocations