GCP IAM workforce pool modified
Description
AlphaSOC detected modifications to a Google Cloud IAM workforce identity pool. Workforce pools allow external identities from corporate identity providers to access GCP resources. Adversaries may modify workforce pool configurations to add unauthorized identity providers, weaken authentication requirements, or establish persistent access using external credentials.
Impact
Unauthorized workforce pool modifications can grant external identities access to GCP resources, bypassing normal IAM controls. Attackers may add malicious identity providers to authenticate with stolen or fabricated credentials. This can establish persistent backdoor access that is difficult to detect through standard GCP audit mechanisms.
Severity
| Severity | Condition |
|---|---|
Low | IAM workforce pool modified |
Investigation and Remediation
Review the specific changes made to the workforce pool configuration. Verify the identity of the user who made the modifications and confirm the action was authorized. Examine any added identity providers or attribute mappings for suspicious configurations. If unauthorized changes are detected, revert the configuration and investigate connected identities for malicious activity.
Known False Positives
- Legitimate updates to federated identity configurations
- IT administrators adding new corporate identity providers
- Changes to attribute mappings for improved access control