Skip to main content

Service Account Key Changed

This alert occurs when Lacework detects a change in a service account key.

Service accounts are special types of Google accounts that allow applications to interact with Google Cloud resources and services. Service account keys are used to authenticate applications and services when they interact with Google Cloud resources.

Related policy: LW_AT_RESOURCE_170: Service Account Key Modified

Why this alert is important

Changes to service account keys can have significant security implications. An attacker may gain unauthorized access to Google Cloud resources and data if a service account key is compromised or misused.

Investigation

If you suspect a malicious change has been made to a service account key, follow these steps to investigate the alert:

  1. Check the Audit Logs to identify any unusual activity related to the service account key. This may include reviewing any changes made to the service account key or any attempts to use it to access resources.
  2. Determine the scope of the compromise by identifying the affected resources and users. This may involve reviewing access control lists and permissions to identify any resources that may have been accessed or modified.
  3. Review the access logs for any affected resources to identify unauthorized access or modifications. This may involve reviewing logs for compute instances, storage buckets, or other Google Cloud services.
  4. Conduct a root cause analysis to determine how the service account key was compromised. This may involve reviewing access control policies, user permissions, and other system logs to identify any vulnerabilities that may have been exploited.

Resolution

Use the following steps to resolve an unauthorized modification in a service account key:

  1. Disable or delete the compromised service account key as soon as possible.
  2. Review the access control policies for any resources that were accessed using the compromised key and revoke any permissions that were granted.
  3. Generate a new service account key and rotate any other service account keys that may have been compromised due to the incident.
  4. Review and update access control policies and permissions to ensure only authorized users and applications can access resources.
  5. Consider implementing additional security controls such as multi-factor authentication (MFA) or restricting access to sensitive resources to prevent similar incidents from occurring in the future.
  6. Continue monitoring logs and access control policies for any further unauthorized activity related to the incident.
  7. If sensitive data was exposed or compromised, notify affected parties and follow the required reporting procedures.