Skip to main content

GCP Service Account Logged In From New Source

This alert occurs when Lacework detects a service account has accessed your Google Cloud environment from a new geolocation for the first time. Lacework uses a

geo-IP lookup service
A tool or service that provides geolocation information based on an IP address, including the country, city, or region of origin.
to determine the location, and the IP address was not previously associated with this account.

Why this alert is important

Service accounts represent application or compute workload identities. They typically do not change geographic locations. If a service account accesses your Google Cloud environment from a new location, it could signal possible credential compromise and suspicious activity.

Why this might be just fine

In rare instances, Lacework's geolocation lookup service may yield different locations, resulting in a false positive. This could happen when the workload or application utilizing the service account undergoes a failover to a new data center or cloud region.

Investigation

Use the steps below to investigate this alert:

  1. Identify the origin of the
    caller IP
    Refers to the IP address from which a request or communication is initiated.
    and understand its distinctions from other IP addresses.
    • Refer to the What section in the Alert Details to locate the caller IP.
    • Click the service account name mentioned in the alert description to access all activities associated with this service account.
    • Extend the time window to one week and compare the previous location with the new one. Observe the level of variation in location. Has the country of the location changed?
  2. Perform a reverse IP lookup on the caller IP to verify its origin. Check if it is associated with a Google ASN (Autonomous System Number).
  3. Check if the service account is using typical services and API methods. Additionally, examine whether there has been any change in its behavior, especially in calling sensitive APIs.

Resolution

After identifying that a service account in Google Cloud has been compromised, it is important to take immediate action to prevent further damage. Here are some steps you can take to resolve the issue:

  1. Disable the service account. This can be done by going to the IAM & Admin page in the Google Cloud console, locating the compromised service account and clicking Disable.
  2. If the service account was used to generate access tokens, you should revoke them immediately to prevent further access. You can do this by going to the APIs & Services page in the Google Cloud console, selecting Credentials and then revoking any access tokens associated with the compromised service account. Review the Audit Logs and any other relevant data to determine how the account was accessed and what actions were taken.
  3. Reset any affected credentials. If the compromised service account had access to any sensitive data or resources, you should reset any credentials or passwords associated with those resources to prevent further unauthorized access.
  4. Implement additional security measures such as multi-factor authentication or access controls to prevent similar incidents from happening in the future.
  5. Monitor for further suspicious activity.