Unexpected GCP API calls indicating custom IAM role creation
Description
AlphaSOC detected creation of a custom IAM role in GCP via
google.iam.admin.v1.CreateRole. Adversaries may create custom roles with
overly permissive or unusual permission combinations to facilitate privilege
escalation or maintain persistent access. Custom roles can be designed to avoid
detection by security tools that monitor predefined role assignments.
Impact
Malicious custom roles can grant attackers specific permissions needed for their objectives while avoiding detection. Roles may be created with permissions for data access, resource modification, or identity manipulation. These roles can then be assigned to attacker-controlled identities for persistent access.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the google.iam.admin.v1.CreateRole action. Examine
the permissions included in the custom role and identify the principal that
created it. Verify if the role aligns with legitimate organizational needs.
If unauthorized, delete the custom role and investigate where it was assigned. Review the included permissions for privilege escalation capabilities. Rotate credentials for the compromised identity.