Skip to main content

Project IAM Policy Changed

This alert occurs when Lacework detects a change in the IAM (Identity and Access Management) policy for a specific Google Cloud project.

The IAM policy controls access to resources within a project and specifies who has what level of access. This alert is generated whenever a change is made to a project's IAM policy, including additions, modifications, or removals of IAM roles or permissions for users, groups, or service accounts within the project.

Related policy: LW_AT_IAM_165: Project IAM Policy Changed

Why this alert is important

Unauthorized or improper changes to the IAM policy can result in data exposure, system compromise, and other security incidents.

Investigation

If you suspect a malicious modification in the Project’s IAM policy, follow these steps to investigate the alert:

  1. Review the Audit Logs for details about the change, including the identity of the user who made the change, the time and date of the change, and the type of change made.
  2. Determine which resources were affected by the change in the IAM policy. This can help you understand the potential impact of the change and identify any other resources that may have been affected.
  3. Collect additional information about the user who made the change, including their identity, location, and access privileges. This can help you identify whether the change was authorized or unauthorized.
  4. Conduct a root cause analysis to identify how the unauthorized modification was made. This may involve examining the network logs, reviewing access control lists, and analyzing other system logs to determine how the attacker gained access to the system.

Resolution

Use the following steps to resolve an unauthorized modification to the Project’s IAM policy:

  1. If the unauthorized modification was made by a user or service account, revoke their access to the project immediately. This can help prevent further unauthorized modifications or data breaches.
  2. If you have a backup of the IAM policy before the unauthorized modification, restore it to the previous state. If you do not have a backup, review the changes made to the IAM policy and remove any unauthorized changes. Ensure that the policy is restored to a secure and compliant state.
  3. Implement additional security controls to prevent similar incidents from occurring in the future. This may involve strengthening access controls, monitoring unusual activity, and implementing multi-factor authentication (MFA) to prevent unauthorized access.
  4. Review the incident response plan to identify any areas for improvement. This can help ensure your organization is better prepared to respond to similar incidents.
  5. If sensitive data was exposed or compromised, notify affected parties and follow the required reporting procedures.