Google Cloud announced the pre-release of Sensitive Actions Service, a premium security feature that identifies potentially risky behavior in the cloud. The service detects when an organization’s GCP is taking actions that could be harmful if taken by a malicious actor, Infoq wrote on the topic.
Sensitive Actions, which is now available in Preview, is focused on understanding IAM account or user account behavior. These are changes made to the Google Cloud environment that are security-relevant – and therefore important to know and evaluate – because they can be precursors to an attack, an effort to enable other attacks, or part of an effort to monetize a compromised account.
They can quickly reveal potentially malicious activities that are facilitated by the theft of authentication cookies, and are another defense-in-depth mechanism that Google Cloud offers to help address this attack vector.
To ensure that adversaries do not have mechanisms to disable this protection or to hide logs from users, Sensitive Actions is a service enabled by default that is now enabled for Cloud customers. In cases where customers have certain privacy controls or policy restrictions applied to their logging channel, their logs will not be analyzed by this service.
“To ensure that adversaries do not have mechanisms to disable this protection or hide logs from users, Sensitive Actions is the default enabled service that is now enabled for Cloud customers. In cases where customers have certain privacy controls or policy restrictions applied to their logging pipeline, their logs will not be analyzed by this service.”
Peacock and McCloskey added in a published Google Cloud document on how to investigate and develop threat response plans.
Currently in preview, the new service is only available with the Security Command Center Premium tier and cannot be disabled. Additionally, it cannot detect sensitive actions in environments that are protected with Assured Workloads.