Search code examples
google-cloud-platformgoogle-cloud-stackdrivergoogle-cloud-iam

Google Cloud service account monitoring alerts

Background

I have a Google Cloud project running my N applications. Each application has an exclusive IAM service account (total N service account) with minimal permissions.

Scenario

Let's imagine that one of the service accounts was leaked out. An attacker will try to take advantage of these credentials. Because he doesn't know exactly which kind of permissions this account has, we will try to make calls and see if it working for him.

Question

I want to "listen" to audit logs. Once I will see the log from kind "access denied", I will know that something is wrong with this service account.

  1. Is this possible to write all those access denied incidents to Google Cloud Stackdriver?
  2. How you recommend implementing it?

Thank you

Solution

  • Here is one way to go about it:

    • Create a new cloud pubsub topic
    • Create a new log routing sink with destination service of cloud pubsub topic created in the previous step (set a filter to be something like protoPayload.authenticationInfo.principalEmail="<service-account-name>@<project-name>.iam.gserviceaccount.com" AND protoPayload.authorizationInfo.granted="false" to only get messages about unsuccessful auth action for your service account)
    • Create a cloud function that's triggered with a new message for the pubsub topic is published; this function can do whatever you desire, like send a message to the email address, page you or anything else you can come up with in the code.