GCP Compute Engine multiple instances created
Description
AlphaSOC detected the creation of multiple GCP Compute Engine instances in a short time window by the same source. This behavior may indicate resource hijacking for cryptomining, DDoS infrastructure, or other unauthorized compute usage.
Impact
Unauthorized instance creation can result in significant cloud costs, consumption of compute quotas, and use of your infrastructure for malicious purposes. Attackers commonly hijack cloud accounts to mine cryptocurrency or launch attacks against other targets.
Severity
| Severity | Condition |
|---|---|
Low | Multiple Compute Engine instances created rapidly |
Investigation and Remediation
Review GCP audit logs to identify the instance creation events, the specific instance types and regions used, and the principal responsible. Check if the instances match cryptomining patterns (high-CPU instances, specific machine types).
If unauthorized, immediately stop and delete the unauthorized instances. Revoke credentials for the compromised identity and review billing alerts. Implement quotas and budget alerts to detect future unauthorized resource creation. Consider enabling organization policies to restrict instance creation.
Known False Positives
- Autoscaling events in response to legitimate traffic
- Batch job processing requiring multiple instances
- Infrastructure deployments creating compute resources