Skip to main content

Custom Role Changed

This alert occurs when Lacework detects a custom Identity and Access Management (IAM) role was modified, deleted or created.

Related policy: LW_AT_RESOURCE_47: Custom Role Changed

Why this alert is important

IAM roles define a set of permissions that determine the actions a user or service account can perform on Google Cloud resources. Custom roles can be created by project or organization administrators to grant specific permissions to users or service accounts that are not available in pre-defined roles.

Monitoring this alert can help organizations ensure that appropriate permissions are granted to users and service accounts and prevent unauthorized access to sensitive resources.

Investigation

Follow these steps to investigate the alert:

  1. Determine which custom IAM role was changed and whether it was modified, deleted, or created.
  2. Review the Audit Logs for more details about the incident. The logs will show who made the change, what was changed, and when the change occurred.
  3. Contact the user who made the change or the project/organization administrator to understand the reason for the change. You can also review any relevant change requests, incident reports, or other documentation to understand the context of the change.
  4. Determine whether the change impacted the security or compliance of your Google Cloud environment.

Resolution

If you detect an unauthorized custom role change, take immediate action to address the issue, including:

  1. Revoke the affected role to prevent further unauthorized access.
  2. Determine the scope of the unauthorized access and assess the impact on your Google Cloud environment. This includes identifying any compromised resources, data, or sensitive information.
  3. Conduct a thorough investigation to determine how the unauthorized change occurred. This may involve reviewing your Audit Logs, interviewing users, or reviewing relevant documentation.
  4. Implement corrective actions to address the issue. This may include modifying your IAM policies, strengthening your security controls, or improving your monitoring and alerting capabilities.
  5. If the unauthorized change involved sensitive data or affected many users, you may need to notify relevant parties, such as customers or regulatory bodies.
  6. Review and improve your security controls to identify areas for improvement. This may include conducting user security awareness training, implementing more robust authentication mechanisms, or reviewing your access management policies.