Suspicious GCP API calls indicating IAM service account key creation
Description
AlphaSOC detected creation or upload of a GCP service account key. Service account keys provide long-lived credentials for non-human identities. While key creation is common in automation workflows, adversaries may create keys to establish persistence or gain unauthorized access to GCP resources.
Impact
Unauthorized service account key creation allows attackers to maintain persistent access to GCP resources even after their initial access method is revoked. Keys can be exported and used from any location, making them attractive for establishing backdoor access. Uploaded keys are particularly suspicious as they allow attacker-controlled key material.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for CreateServiceAccountKey or UploadServiceAccountKey
actions. Identify the service account affected and the principal who created the
key. Verify whether the key creation was authorized.
If unauthorized, immediately delete the newly created key from the service account. Review recent activity from the service account for signs of misuse. Rotate credentials for the compromised identity and audit IAM policies to restrict service account key creation permissions. Consider using Workload Identity Federation instead of service account keys.
Known False Positives
- Legitimate automation tools (Terraform, Vault) creating keys
- Application deployments requiring service account access
- Developer workflows in authorized environments