Unexpected GCP API calls indicating service account deletion
Description
AlphaSOC detected deletion of a GCP service account via
google.iam.admin.v1.DeleteServiceAccount. Adversaries may delete service
accounts to disrupt applications, cause denial of service, or clean up after
using them for malicious purposes. Deleting a service account invalidates all
its keys and breaks applications relying on it.
Impact
Service account deletion can cause immediate service disruptions for applications using the account for authentication. Workloads depending on the service account will fail to access GCP resources. Attackers may delete accounts to cover tracks after using them for malicious activities.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for the DeleteServiceAccount action. Identify which
service account was deleted, what applications used it, and the principal
responsible.
If unauthorized, usually the service account can be undeleted within 30 days
using the undelete API. Assess the impact on applications and services.
Investigate the compromised identity for additional destructive activities.
Review if the deleted account was used for any malicious actions before
deletion.