Unexpected GCP API calls indicating IAM role deletion
Description
AlphaSOC detected deletion of an IAM role in GCP via
google.iam.admin.v1.DeleteRole. Role deletion removes the role definition and
affects all principals that were assigned the role.
Adversaries may delete IAM roles to disrupt legitimate access controls, cause service disruptions, or as part of cleanup after an attack.
Impact
IAM role deletion can disrupt services and access for legitimate users and service accounts. Applications relying on the deleted role's permissions may fail. Attackers may delete roles to cover tracks after using them for malicious purposes or to deny service to legitimate operations.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the google.iam.admin.v1.DeleteRole action. Identify
which role was deleted, who it was assigned to, and the principal responsible.
Assess the impact on services and users.
If unauthorized, recreate the role with appropriate permissions. Review IAM bindings to restore access for affected principals. Investigate the compromised identity for additional malicious activities.