Suspicious GCP API calls indicating workload identity pool modification
Description
AlphaSOC detected creation or modification of a GCP Workload Identity Pool via
google.iam.v1.WorkloadIdentityPools.CreateWorkloadIdentityPool or
UpdateWorkloadIdentityPool. Adversaries may create or modify identity pools to
establish persistent access from external systems. Misconfigured pools can allow
unauthorized access from external identity providers, enabling attackers to
access GCP resources using credentials from systems they control.
Impact
Malicious workload identity pools can grant external systems access to GCP resources. Attackers controlling external identity providers can authenticate to GCP without needing GCP credentials. This provides a persistent access mechanism that may survive standard credential rotation within GCP.
Severity
| Severity | Condition |
|---|---|
Informational | Unexpected action, ASN, user agent or region |
Low | Two unexpected properties at the same time |
Medium | Three unexpected properties at the same time |
Investigation and Remediation
Review GCP audit logs for workload identity pool operations. Examine the pool configuration, allowed identity providers, and attribute mappings. Verify if the configuration aligns with authorized federation requirements.
If unauthorized, delete the workload identity pool to revoke external access. Review any IAM bindings that reference the pool. Investigate the compromised identity and assess what resources may have been accessed using federated credentials.