Skip to content

Latest commit

 

History

History
112 lines (101 loc) · 3.17 KB

2.40.md

File metadata and controls

112 lines (101 loc) · 3.17 KB
Raw

2.40 - User access added (or removed) from IAP-protected HTTPS services

User access added (or removed) from IAP-protected HTTPS services (using IAP role roles/iap.httpsResourceAccessor)

Category: IAM, Keys & Secrets Changes
Use Cases: Detect, Audit
Data Sources: Audit Logs - Admin Activity

Queries or Rules

BigQuery Chronicle Log Analytics
SQL Contribute rule SQL

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

google.cloud.iap.v1.IdentityAwareProxyAdminService.SetIamPolicy

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "authenticationInfo": {
      "principalEmail": "admin@example.com"
    },
    "requestMetadata": {
      "callerIp": "203.0.113.255",
      "callerSuppliedUserAgent": "<redacted>",
      "requestAttributes": {
        "time": "2022-05-03T02:15:06.445972944Z",
        "auth": {
        }
      },
      "destinationAttributes": {
      }
    },
    "serviceName": "iap.googleapis.com",
    "methodName": "google.cloud.iap.v1.IdentityAwareProxyAdminService.SetIamPolicy",
    "authorizationInfo": [
      {
        "resource": "projects/1234/iap_web/compute/services/1234",
        "permission": "iap.webServices.setIamPolicy",
        "granted": true,
        "resourceAttributes": {
          "service": "iap.googleapis.com",
          "name": "projects/1234/iap_web/compute/services/123456",
          "type": "iap.googleapis.com/WebService"
        }
      },
      {
        "permission": "iap.webServices.setIamPolicy",
        "granted": true,
        "resourceAttributes": {
          "service": "iap.googleapis.com",
          "name": "projects/1234/iap_web/compute/services/123456",
          "type": "iap.googleapis.com/WebService"
        }
      }
    ],
    "resourceName": "projects/1234/iap_web/compute/services/123456",
    "request": {
      "resource": "projects/1234/iap_web/compute/services/123456",
      "@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest",
      "policy": {
        "bindings": [
          {
            "role": "roles/iap.httpsResourceAccessor",
            "members": [
              "user:test-user@example.com"
            ]
          }
        ],
        "etag": "BwXU2OG0ZKg="
      }
    },
    "response": {
      "bindings": [
        {
          "role": "roles/iap.httpsResourceAccessor",
          "members": [
            "user:test-user@example.com"
          ]
        }
      ],
      "etag": "BwXeEhPPD2I=",
      "@type": "type.googleapis.com/google.iam.v1.Policy"
    }
  },
  "insertId": "vdbcibd23rv",
  "resource": {
    "type": "gce_backend_service",
    "labels": {
      "project_id": "1234",
      "location": "",
      "backend_service_id": ""
    }
  },
  "timestamp": "2022-05-03T02:15:06.432859472Z",
  "severity": "NOTICE",
  "logName": "projects/1234/logs/cloudaudit.googleapis.com%2Factivity",
  "receiveTimestamp": "2022-05-03T02:15:07.274292127Z"
}