Get IAM policy for project¶
| Platform | Author | Last Update |
|---|---|---|
| gcp | Richard Slaney | 2023-07-01 |
A user can request to see what members are associated with a project and what roles they have, to identify entities that they might wish to gain access to or backdoor.
MITRE IDs¶
Required Permissions¶
- resourcemanager.projects.getIamPolicy
Required Parameters¶
| Name | Type | Description | Example Value |
|---|---|---|---|
| project_id | str | ID of the project to list entities from | phrasal-crowbar-284615 |
Attacker Action¶
gcloud iam service-accounts list
Detection Case¶
ELK query¶
When logs are ingested into ELK, the following Lucene query can be used to identify relevant events.
eventName:ListUsers AND eventSource:*.iam.amazonaws.com
Sigma Definition¶