Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
A service account credential is being used to investigate the roles and
permissions associated with that same service account. This finding indicates
that service account credentials might be compromised and immediate action
should be taken.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open a Discovery: Service Account Self-Investigation finding, as directed
in Reviewing finding details earlier on this
page. The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Severity: the risk level assigned to the finding. The severity
is HIGH if the API call that triggered this finding was
unauthorizedโthe service account doesn't have permission to
query its own IAM permissions with the
projects.getIamPolicy API.
Principal email: the potentially compromised service account.
Caller IP: the internal or external IP address
Affected resource, especially the following fields:
Resource full name:
Project full name: the project that contains the potentially leaked
account credentials.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
To see the complete JSON for the finding, click the JSON tab.
Step 2: Review project and service account permissions
On the page that appears, in the Filter box, enter the name of the
compromised service account and check the service account's keys and key
creation dates.
Step 3: Check logs
On the Summary tab of the finding details panel, click the
Cloud Logging URI link to open the Logs Explorer.
If necessary, select your project.
On the page that loads, check logs for activity from new or updated
IAM resources using the following filters:
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project with the compromised account.
Delete the compromised service account and rotate and delete
all service account access keys for the compromised project. After deletion,
resources that use the service account for authentication lose access.
Delete project resources created by the compromised account, like unfamiliar
Compute Engine instances, snapshots, service accounts, and
IAM users.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n\nA service account credential is being used to investigate the roles and\npermissions associated with that same service account. This finding indicates\nthat service account credentials might be compromised and immediate action\nshould be taken.\n\nHow to respond\n\nTo respond to this finding, do the following:\n\nStep 1: Review finding details\n\n1. Open a `Discovery: Service Account Self-Investigation` finding, as directed\n in [Reviewing finding details](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) earlier on this\n page. The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n - **What was detected** , especially the following fields:\n - **Severity** : the risk level assigned to the finding. The severity is `HIGH` if the API call that triggered this finding was unauthorized---the service account doesn't have permission to query its own IAM permissions with the `projects.getIamPolicy` API.\n - **Principal email**: the potentially compromised service account.\n - **Caller IP**: the internal or external IP address\n - **Affected resource** , especially the following fields:\n - **Resource full name**:\n - **Project full name**: the project that contains the potentially leaked account credentials.\n - **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n\n 1. To see the complete JSON for the finding, click the **JSON** tab.\n\nStep 2: Review project and service account permissions\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n\n \u003cbr /\u003e\n\n2. If necessary, select the project listed in the `projectID` field of the\n finding JSON.\n\n3. On the page that appears, in the **Filter** box, enter the account name\n listed in **Principal email** and check assigned permissions.\n\n4. In the Google Cloud console, go to the **Service Accounts** page.\n\n \u003cbr /\u003e\n\n [Go to Service Accounts](https://console.cloud.google.com/iam-admin/serviceaccounts)\n\n \u003cbr /\u003e\n\n5. On the page that appears, in the **Filter** box, enter the name of the\n compromised service account and check the service account's keys and key\n creation dates.\n\nStep 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. If necessary, select your project.\n3. On the page that loads, check logs for activity from new or updated IAM resources using the following filters:\n - `proto_payload.method_name=\"google.iam.admin.v1.CreateServiceAccount\"`\n - `protoPayload.methodName=\"SetIamPolicy\"`\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eprincipalEmail\u003c/var\u003e`\"`\n\nStep 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Permission Groups Discovery: Cloud Groups](https://attack.mitre.org/techniques/T1069/003/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\nStep 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project with the compromised account.\n- [Delete the compromised service account](/iam/docs/service-accounts-delete-undelete#deleting) and rotate and delete all service account access keys for the compromised project. After deletion, resources that use the service account for authentication lose access.\n- Delete project resources created by the compromised account, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users.\n\nWhat's next\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
