Skip to content

Latest commit

 

History

History
112 lines (101 loc) · 3.17 KB

2.40.md

File metadata and controls

112 lines (101 loc) · 3.17 KB
Raw

2.40 - User access added (or removed) from IAP-protected HTTPS services

User access added (or removed) from IAP-protected HTTPS services (using IAP role roles/iap.httpsResourceAccessor)

Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

google.cloud.iap.v1.IdentityAwareProxyAdminService.SetIamPolicy

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "[email protected]"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "callerSuppliedUserAgent": "<redacted>",
      "requestAttributes": {
        "time": "2022-05-03T02:15:06.445972944Z",
        "auth": {
        }
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "iap.googleapis.com",
    "methodName": "google.cloud.iap.v1.IdentityAwareProxyAdminService.SetIamPolicy",
    "authorizationInfo": [
      {
        "resource": "projects/1234/iap_web/compute/services/1234",
        "permission": "iap.webServices.setIamPolicy",
        "granted": true,
        "resourceAttributes": {
          "service": "iap.googleapis.com",
          "name": "projects/1234/iap_web/compute/services/123456",
          "type": "iap.googleapis.com/WebService"
        }
      },
      {
        "permission": "iap.webServices.setIamPolicy",
        "granted": true,
        "resourceAttributes": {
          "service": "iap.googleapis.com",
          "name": "projects/1234/iap_web/compute/services/123456",
          "type": "iap.googleapis.com/WebService"
        }
      }
    ],
    "resourceName": "projects/1234/iap_web/compute/services/123456",
    "request": {
      "resource": "projects/1234/iap_web/compute/services/123456",
      "@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest",
      "policy": {
        "bindings": [
          {
            "role": "roles/iap.httpsResourceAccessor",
            "members": [
              "user:[email protected]"
            ]
          }
        ],
        "etag": "BwXU2OG0ZKg="
      }
    },
    "response": {
      "bindings": [
        {
          "role": "roles/iap.httpsResourceAccessor",
          "members": [
            "user:[email protected]"
          ]
        }
      ],
      "etag": "BwXeEhPPD2I=",
      "@type": "type.googleapis.com/google.iam.v1.Policy"
    }
  },
  "insertId": "vdbcibd23rv",
  "resource": {
    "type": "gce_backend_service",
    "labels": {
      "project_id": "1234",
      "location": "",
      "backend_service_id": ""
    }
  },
  "timestamp": "2022-05-03T02:15:06.432859472Z",
  "severity": "NOTICE",
  "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2022-05-03T02:15:07.274292127Z"
}