Skip to main content

Folder IAM Policy Changed

This alert occurs when Lacework detects a change in the Identity and Access Management (IAM) policies for a folder.

Related policy: LW_AT_IAM_166: Folder IAM Policy Changed

Why this alert is important

A folder is a logical grouping of resources in Google Cloud that allows you to hierarchically manage permissions and policies for a set of related resources. The IAM policies for a folder determine who can access the resources within that folder and what actions they can perform.

When the IAM policy for a folder is changed, it can impact the security and compliance of the resources within that folder. For example, if an unauthorized user is granted access to a folder, they may be able to access sensitive data or modify resources without proper authorization. On the other hand, if a user is removed from a folder's IAM policy, they may lose access to the resources they need to perform their job.

Monitoring folder IAM policy changes are essential for maintaining the security and compliance of your Google Cloud environment.

Investigation

Follow these steps to investigate the alert:

  1. Review the event logs in the Cloud Logging console to identify the folder where the IAM policy change occurred.
  2. Look at the event details to determine the scope and nature of the change. This may include information about the user or service account that made the change, the time of the change, and the specific permissions that were modified.
  3. Review the Audit Logs for the affected folder to get a complete picture of the changes that were made. This may include changes to permissions, the creation or deletion of resources, and any other actions performed by the user or service account.
  4. Investigate the root cause of the change. This may involve interviewing users, reviewing documentation, or conducting further analysis of the Audit Logs.
  5. Determine the impact of the change on your Google Cloud environment. This may include identifying any compromised resources, data, or sensitive information.

Resolution

Use the following steps to resolve an unauthorized folder IAM policy change:

  1. Immediately revoke access to the affected folder or modify your IAM policies.
  2. Implement preventive measures to avoid future unauthorized changes. This may include implementing more robust authentication controls, reviewing IAM policies and permissions regularly, or limiting access to sensitive resources.
  3. If the unauthorized change resulted in an undesirable or unintended IAM policy, restore the original IAM policy. This may involve using the IAM policy version history feature to revert to a previous version.
  4. Monitor your Google Cloud environment for future changes to IAM policies, especially for folders with sensitive resources or permissions.