Cloud Credentials Rotation - GCP
## **GCP Credentials Rotation Playbook** ### **IAM Remediation** For compromised service accounts: - **Access Key Disabling**: Immediately disable the compromised service account access key. - **New Key Generation**: After ensuring the old key is disabled, generate a new access key. ### **GSuite Admin Remediation** Admin accounts are crucial: - **Reset Password**: Resets the user password to halt any unauthorized access. - **Revoke Access Token**: Revoke any suspicious or unauthorized access tokens. - **Combo Action**: Reset the password and revoke access tokens to ensure complete safety.
GCP Enrichment and Remediation · 18 tasks · 7 inputs · 3 outputs
Inputs
GSuiteRemediationType— The response playbook provides the following remediation actions using GSuite Admin: Reset: By entering "Reset" in the input, the playbook will execute password reset. Revoke: By entering "Revoke" in the input, the playbook will execute access key suspension. (Both the user and client IDs must be provided) ALL: By entering "ALL" in the input, the playbook will execute the password reset and revoke access key tasks.userID— Identifies the user in the API request. The value can be the user's primary email address, alias email address, or unique user ID.clientID— The client ID.zone— The name of the zone.serviceAccountEmail— The service account email.identityType— The type of identity involved. Usually mapped to the incident field named 'cloudidentitytype'. e.g. USER,SERVICE_ACCOUNT,APPLICATIONcloudProject— The relevant project that the alert relates to.
Outputs
GoogleCloudCompute.Instances— Google Cloud Compute instance information.GCPIAM.ServiceAccountKey— The service account keys.GCPIAM.ServiceAccount— The service account information.
Commands used
gcp-compute-list-instances
gcp-iam-service-account-key-create
gcp-iam-service-account-key-disable
gcp-iam-service-account-keys-get
gcp-iam-service-accounts-get
gsuite-token-revoke
gsuite-user-update