Skip to main content

Cloud Storage IAM Permission Changed

This alert occurs when Lacework detects a change in the Identity and Access Management (IAM) permissions for a cloud storage bucket.

Cloud storage IAM permissions allow you to control who can access your cloud storage resources and what actions they can perform, including:

  • Adding a new member to a cloud storage IAM policy
  • Updating an existing member's role in a cloud storage IAM policy
  • Removing a current member from a cloud storage IAM policy

Related policy: LW_AT_IAM_51: Cloud Storage IAM Permission Changed

Why this alert is important

This alert can be useful for monitoring changes to the IAM permissions for your cloud storage buckets and ensuring that your data is being accessed only by authorized users and services. Unauthorized changes to IAM permissions can allow malicious actors to access and modify your cloud storage resources.

Investigation

Follow these steps to investigate the alert:

  1. Identify the cloud storage bucket affected by the IAM permission change, and determine which permissions were changed.
  2. Use the Audit Logs to review information related to the incident. Look for relevant details, such as the user or service account that made the change, the time and date, and any other insightful information.
  3. Look for any unusual patterns or activities related to the incident. For example, was the incident preceded by multiple failed login attempts or other suspicious activity?
  4. Determine who had access to the cloud storage bucket during the incident and review their access logs to see if there were any unusual access patterns.
  5. Determine how the IAM permission change incident occurred. Was it a result of a misconfiguration, or was it the result of an unauthorized access attempt?

Resolution

If you detect an unauthorized cloud storage IAM permission change, use these steps to resolve the incident:

  1. Immediately revoke access for the member that made the unauthorized change.
  2. If the unauthorized access resulted from an external threat actor, take steps to mitigate the threat. This may include implementing additional security controls such as multi-factor authentication, access monitoring, and threat detection.
  3. Remediate any affected resources or data impacted by unauthorized access. For example, you may need to restore backups, delete or quarantine compromised data, or apply security patches.
  4. Review and update your security policies to prevent similar unauthorized access in the future. This may include reviewing and updating your IAM policies, implementing additional access controls, and conducting security awareness training for your users and administrators.