Suspicious GCP API calls indicating KMS key IAM modification
Description
AlphaSOC detected modification of IAM policies on a GCP Cloud KMS cryptographic
key via SetIamPolicy. Adversaries may modify KMS key IAM policies to grant
themselves decryption access, enabling them to decrypt sensitive data protected
by the key. This can facilitate data theft or enable access to encrypted secrets
and credentials.
Impact
Unauthorized KMS key IAM changes can grant attackers the ability to decrypt sensitive data. This may expose encrypted secrets, database contents, backup data, or application credentials. Attackers with decrypt access can access all data protected by the key without leaving obvious traces in the data itself.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the SetIamPolicy action on cloudkms_cryptokey
resources. Identify what permissions were granted and to which principals.
Verify if these changes align with authorized key management procedures.
If unauthorized, immediately revoke the added IAM bindings. Review KMS key usage logs to identify data that may have been decrypted. Assess what data was protected by the key and consider rotating encryption if data exposure is suspected. Rotate credentials for the compromised identity.