Skip to main content

Organization IAM Policy Changed

This alert occurs when Lacework detects a change in the IAM (Identity and Access Management) policy for a Google Cloud organization.

Related policy: LW_AT_IAM_167: Organization IAM Policy Changed

Why this alert is important

The IAM policy for an organization is a set of rules that determines which users and services have access to the organization's resources in Google Cloud. The policy can be managed at the organization level, and changes made to the policy can significantly impact the organization's security posture.

By monitoring this alert, you can identify and take action against individuals who make unauthorized changes to the policy.

Investigation

If you suspect a malicious modification has been made to the Organization’s IAM policy, follow these steps to investigate the alert:

  1. Check the Audit Logs to identify when and by whom the changes were made. Reviewing the logs can help identify any unauthorized modifications and provide insights into the nature of the changes.
  2. Determine the scope of the issue by checking if any resources were accessed or modified due to the changes made to the IAM policy. This can help determine the potential impact of the malicious modifications.
  3. If necessary, collect additional evidence, such as server logs, network traffic logs, and system configurations, to identify the root cause of the issue.
  4. Contain the issue by revoking unauthorized access, locking down the affected resources, and preventing further unauthorized access.

Resolution

Use the following steps to resolve an unauthorized modification to the Organization’s IAM policy:

  1. Revoke any unauthorized access to the affected resources.
  2. Restore the IAM policy to its previous state before the unauthorized modification was made.
  3. Investigate the root cause of the unauthorized modification to prevent similar incidents in the future. This may involve collecting additional evidence or working with a qualified cybersecurity professional to identify the source of the unauthorized modification.
  4. Implement additional security controls to prevent unauthorized future modifications to the IAM policy. For example, consider enabling two-factor authentication or restricting access to the IAM policy to a limited set of authorized users.
  5. Conduct a post-incident review to identify weaknesses in the organization's IAM policy management and make changes as necessary to prevent similar incidents.
  6. If sensitive data was exposed or compromised, notify affected parties and follow the required reporting procedures.