Skip to main content

A New Service Account Has Been Created

This alert occurs when Lacework detects a new service account has been created in your Google Cloud project.

A service account is a special account type that is used by applications or services to authenticate and authorize access to Google Cloud resources.

Related policy: LW_AT_RESOURCE_169: Service Account Created

Why this alert is important

Service accounts can have access to sensitive resources in your Google Cloud project, such as virtual machines, storage buckets, or databases. By detecting when a new service account is created, you can ensure that only authorized personnel are creating service accounts and are only given the necessary permissions.

Investigation

If you suspect that a new service account in Google Cloud may be malicious, follow these steps to investigate the alert:

  1. Check the Audit Logs to identify who created the service account and from where. This can help you determine if a legitimate user created the service account or if it was created by an attacker who gained unauthorized access to your project.
  2. Check the roles and permissions assigned to the service account to determine what resources it has access to. If the service account has been granted excessive permissions, it may indicate that it was created for malicious purposes.
  3. Monitor service account activity to determine if it is behaving suspiciously. For example, if the service account is accessing resources that it shouldn't be or making an unusually high number of requests, it may indicate that it is being used for malicious purposes.

Resolution

Use the following steps to resolve an unauthorized new service account:

  1. Revoke the service account's permissions.
  2. Delete the account to ensure it cannot be used maliciously. This can be done through the Google Cloud console, cloud SDK, or API.
  3. Review and update security controls. This may include reviewing who has access to your project and resources, implementing stronger authentication and access controls, and monitoring suspicious activity.
  4. Conduct a post-incident review to identify any gaps in your security controls and make improvements to prevent similar incidents from happening in the future.
  5. If you are unsure of the best way to resolve the issue or if you suspect that the incident may have caused significant damage to your project or data, consider engaging a security consultant or forensic specialist to assist with the investigation and remediation process.