Full Report
Google Cloud customers can now detect excessive access in their GCP environment based on Google audit logs to effectively right-size permissions.
Analysis Summary
This article focuses on a security capability added by the vendor Wiz to detect excessive access findings in Google Cloud Platform (GCP) by leveraging Google audit logs, complementing or augmenting the native IAM Recommender. It describes a **security analysis technique** or **feature** rather than a piece of malware or a specific threat actor tool.
# Tool/Technique: Excessive Access Findings Analysis (Wiz)
## Overview
This entry describes a security analysis capability provided by the Wiz platform designed to help Google Cloud Platform (GCP) customers enforce the principle of least privilege by identifying principals (users and service accounts) that have been granted excessive or over-provisioned permissions, based on analysis of GCP cloud events and audit logs.
## Technical Details
- Type: Technique (Security Monitoring/Analysis Feature)
- Platform: Google Cloud Platform (GCP)
- Capabilities: Identifies excessive permissions, detects inactive users/service accounts, analyzes attack paths formed by identity misconfigurations, and provides remediation guidance.
- First Seen: Information not explicitly provided in the text, but relates to a recent product launch/update.
## MITRE ATT&CK Mapping
The primary focus aligns with understanding and controlling permissions, which relates to Privilege Escalation and Defense Evasion/Discovery related to Identity and Access Management (IAM).
- **TA0004 - Privilege Escalation**
- **T1078 - Valid Accounts**
- T1078.004 - Cloud Accounts
- **TA0007 - Discovery**
- **T1592 - Gather Victim Identity Information**
- T1592.003 - Cloud Accounts
- **TA0005 - Defense Evasion**
- **T1538 - Privilege or Permission Discovery** (Implicit, as excessive permissions are discovered)
## Functionality
### Core Capabilities
- Identifying permissions that have been over-provisioned (excessive access).
- Detecting inactive users and service accounts.
- Providing explicit guidance on how to adjust permissions to enforce least privilege.
### Advanced Features
- Analyzing how identity misconfigurations combine with other factors (e.g., network vulnerabilities) to create tangible **attack paths**.
- Providing visibility regardless of the customer's Security Command Center (SCC) premium pricing tier by using GCP audit logs.
## Indicators of Compromise
*Note: As this is a security analysis feature, it does not generate IOCs related to malware, but rather identifies risky configurations.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Detection of principals with permissions exceeding necessary scope, or principals showing no activity.
## Associated Threat Actors
Not directly associated with specific threat actors, but the findings address vulnerabilities commonly exploited by adversaries to achieve Privilege Escalation.
## Detection Methods
- Signature-based detection: N/A (Relies on analyzing audit logs against defined policy/usage rules).
- Behavioral detection: Analysis of principal activity levels and permission usage against entitlements.
- YARA rules if available: N/A
## Mitigation Strategies
- Implementing the Principle of Least Privilege (PoLP) for all GCP principals.
- Utilizing security findings provided by Wiz to scope down excessive permissions.
- Monitoring and remediating inactive users and service accounts.
## Related Tools/Techniques
- Google Cloud IAM Recommender (The native GCP tool which the Wiz feature complements or augments).
- Cloud Infrastructure Entitlement Management (CIEM) solutions.