GCP API calls indicating IAM role modification
Description
AlphaSOC detected the creation or modification of a custom IAM role in Google Cloud Platform. Custom IAM roles define specific permissions that can be assigned to identities. Adversaries may create or modify custom roles to grant themselves elevated privileges or to establish persistent access with specific permissions that avoid detection.
Impact
Unauthorized IAM role modifications can enable privilege escalation by granting additional permissions to attacker-controlled identities. Custom roles with overly permissive settings can provide broad access across the GCP environment. This technique can be used to maintain persistent access or to prepare for further attacks such as data exfiltration or resource manipulation.
Severity
| Severity | Condition |
|---|---|
Low | IAM role modification by user for first time |
Investigation and Remediation
Review the specific permissions included in the created or modified role. Verify the identity that made the changes and confirm the action was authorized. Examine which identities have been assigned this role. If unauthorized, delete or revert the role changes, review IAM bindings for suspicious assignments, and investigate the actor's recent activity for signs of compromise.
Known False Positives
- Legitimate infrastructure management by administrators
- Automated provisioning systems creating roles for new services
- Security teams implementing least-privilege access controls