Unexpected GCP API calls indicating Compute Engine instance service account modification
Description
AlphaSOC detected that the service account was changed on a Google Cloud Compute Engine instance. Service accounts define the identity and permissions available to workloads running on the instance. Modifying a service account can grant different access levels to GCP resources.
Impact
Changing an instance's service account can escalate privileges if a more permissive service account is assigned. Attackers may modify service accounts to gain access to additional GCP resources, move laterally within the environment, or access sensitive data that the original service account could not reach.
Severity
| Severity | Condition |
|---|---|
Informational | Instance service account modified |
Low | Instance service account modified with anomalous patterns |
Medium | Instance service account modified in suspicious context |
Investigation and Remediation
Review GCP audit logs for the compute.instances.setServiceAccount action to
identify who changed the service account and which instance was affected.
Compare the permissions of the old and new service accounts to understand the
impact of the change.
If unauthorized, restore the original service account and investigate how the attacker gained the ability to modify instance configurations. Review the permissions granted to the new service account and audit any actions taken using those elevated privileges.
Known False Positives
- Service account changes during application deployments
- Migration of workloads to different service accounts
- Security improvements assigning more restrictive service accounts