Suspicious GCP API calls indicating Compute Engine IAM policy modification
Description
AlphaSOC detected modification of IAM policies on GCP Compute Engine resources
via compute.instances.setIamPolicy or compute.projects.setIamPolicy. IAM
policies control which identities can access and manage compute resources.
Adversaries may modify IAM policies to grant themselves or malicious service accounts access to compute instances, enabling lateral movement, persistence, or privilege escalation within the GCP environment.
Impact
Unauthorized IAM policy changes can grant attackers persistent access to compute resources. This may enable SSH access to instances, control over instance lifecycle, or the ability to modify instance configurations. Compromised compute access can facilitate data theft, lateral movement, and further infrastructure compromise.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the setIamPolicy action on Compute Engine resources.
Identify what permissions were granted, to which principals, and verify if these
changes align with authorized access provisioning.
If unauthorized, immediately revoke the added IAM bindings. Investigate the affected compute instances for signs of compromise. Rotate credentials for the identity that made the changes and review their other activities.