This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
The default Compute Engine service account was used to set the IAM policy for a Cloud Run service. This is a potential post exploit action when a Compute Engine token is compromised from a serverless service.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
- Review the audit logs in Cloud Logging to determine if this was expected activity by the principal.
- Determine whether there are other signs of malicious activity by the principal in the logs.
Example finding JSON
The following is an example of the finding JSON.
{ "finding": { "access": { "principalEmail": "PROJECT_NUMBER-compute@developer.gserviceaccount.com", "callerIp": "IP_ADDRESS", "callerIpGeo": { "regionCode": "REGION_CODE" }, "userAgent": "USER_AGENT", "serviceName": "run.googleapis.com", "methodName": "google.cloud.run.v1.Services.SetIamPolicy", "principalSubject": "serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com", "serviceAccountDelegationInfo": [ { "principalEmail": "service-PROJECT_NUMBER@serverless-robot-prod.iam.gserviceaccount.com" } ] }, "application": {}, "attackExposure": {}, "canonicalName": "projects/PROJECT_NUMBER/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "category": "Privilege Escalation: Default Compute Engine Service Account SetIAMPolicy", "chokepoint": {}, "cloudDlpDataProfile": {}, "cloudDlpInspection": {}, "createTime": "2025-05-27T20:36:26.627Z", "database": {}, "dataProtectionKeyGovernance": {}, "eventTime": "2025-05-27T20:36:26.527Z", "exfiltration": {}, "findingClass": "THREAT", "findingProviderId": "organizations/ORGANIZATION_ID/firstPartyFindingProviders/etd", "indicator": {}, "kernelRootkit": {}, "kubernetes": {}, "logEntries": [ { "cloudLoggingEntry": { "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity", "resourceContainer": "projects/PROJECT_ID", "timestamp": "2025-05-27T20:35:26.897015Z" } } ], "mitreAttack": { "primaryTactic": "PRIVILEGE_ESCALATION", "primaryTechniques": [ "ADDITIONAL_CLOUD_ROLES" ] }, "mute": "UNDEFINED", "muteInfo": { "staticMute": { "state": "UNDEFINED", "applyTime": "1970-01-01T00:00:00Z" } }, "muteUpdateTime": "1970-01-01T00:00:00Z", "name": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global/findings/FINDING_ID", "parent": "organizations/ORGANIZATION_ID/sources/SOURCE_ID/locations/global", "parentDisplayName": "Event Threat Detection", "resourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME", "securityPosture": {}, "severity": "LOW", "state": "ACTIVE", "vulnerability": {}, "externalSystems": {} }, "resource": { "name": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME", "displayName": "SERVICE_NAME", "type": "google.run.Service", "cloudProvider": "GOOGLE_CLOUD_PLATFORM", "service": "run.googleapis.com", "location": "REGION", "gcpMetadata": { "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "projectDisplayName": "PROJECT_ID", "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER", "parentDisplayName": "PROJECT_ID", "organization": "organizations/ORGANIZATION_ID" }, "resourcePath": { "nodes": [ { "nodeType": "GCP_PROJECT", "id": "projects/PROJECT_NUMBER", "displayName": "PROJECT_ID" }, { "nodeType": "GCP_ORGANIZATION", "id": "organizations/ORGANIZATION_ID" } ] }, "resourcePathString": "organizations/ORGANIZATION_ID/projects/PROJECT_NUMBER" }, "sourceProperties": { "sourceId": { "projectNumber": "PROJECT_NUMBER", "customerOrganizationNumber": "ORGANIZATION_ID" }, "detectionCategory": { "ruleName": "cloud_run_services_set_iam_policy" }, "detectionPriority": "LOW", "affectedResources": [ { "gcpResourceName": "//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE_NAME" }, { "gcpResourceName": "//cloudresourcemanager.googleapis.com/projects/PROJECT_NUMBER" } ], "evidence": [ { "sourceLogId": { "projectId": "PROJECT_ID", "resourceContainer": "projects/PROJECT_ID", "timestamp": { "seconds": "1748378126", "nanos": 897015000 }, "insertId": "INSERT_ID", "logId": "cloudaudit.googleapis.com/activity" } } ], "properties": {}, "findingId": "FINDING_ID", "contextUris": { "mitreUri": { "displayName": "MITRE Link", "url": "https://attack.mitre.org/techniques/T1098/003/" }, "cloudLoggingQueryUri": [ { "displayName": "Cloud Logging Query Link", "url": "LINK_TO_LOG_QUERY" } ], "relatedFindingUri": {} } } }
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.