Skip to main content

IAM Policy Changed (Google Cloud)

This alert occurs when Lacework detects a change in the Identity and Access Management (IAM) policy for a resource.

Related policy: LACEWORK-GLOBAL-12: IAM Policy Change

Why this alert is important

IAM allows you to manage access to Cloud Storage buckets, Compute Engine instances, and other Google Cloud services. When an IAM policy is changed, it can affect who has access to a resource, what actions they can perform, and what data they can view or modify.

By monitoring IAM policy changes, you can detect and respond to any unauthorized changes or suspicious activity in your Google Cloud environment and take appropriate action to protect your data and infrastructure.

Investigation

Follow these steps to investigate the alert:

  1. Check the Audit Logs to determine who made the IAM policy change, when, and what changes were made. To narrow your investigation, you can search the logs by resource type, user, and time range.
  2. Verify that the user who made the IAM policy change is authorized. If the user is not authorized, it may indicate malicious activity.
  3. Check the new IAM policy to determine what changes were made. If the changes grant unauthorized access to a resource or give a user more privileges than they need, it may be a sign of malicious activity.
  4. Check for any unusual activity in your Google Cloud environment, such as unexpected API requests or unusual logins. Malicious actors may have accessed your environment and made the IAM policy change from there.
  5. If you suspect the IAM policy change is malicious, immediately report the incident to your organization's security team or Google Cloud Support. They can guide you on how to mitigate the issue and prevent it from happening.

Resolution

Use the following steps to resolve an unauthorized IAM policy change:

  1. If the IAM policy change granted unauthorized access to a resource, revoke that access immediately to prevent further unauthorized access.
  2. If the IAM policy change modified the permissions of an authorized user or role, restore the original IAM policy to its previous state.
  3. Investigate further to determine the extent of the damage and whether any data was compromised. Review the logs and audit trails to determine what actions were taken on the resource and who may have accessed it.
  4. Implement additional security measures to prevent future malicious activity. For example, you can implement more restrictive IAM policies, enable Audit Logs, or consider using multi-factor authentication (MFA) for IAM users.
  5. Report the incident to your organization's security team or Google Cloud Support to ensure appropriate measures are taken to prevent similar incidents.