add-iam-policy-binding
GCP
add-iam-policy-binding
Event
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
Security Context
- Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
- Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.
Log Source
Cloud Audit Logs
Sample Event
Draco grants his own user roles/owner on the production project — a textbook persistence/privilege-escalation pattern. Note the external source IP and the response.bindings reflecting the policy after the change.
{ "logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity", "protoPayload": { "@type": "type.googleapis.com/google.cloud.audit.AuditLog", "authenticationInfo": { "principalEmail": "draco@fantasticlogs.cloud" }, "requestMetadata": { "callerIp": "203.0.113.66", "callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.projects.add-iam-policy-binding invocation-id/90000000000000000000000000000001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws)", "requestAttributes": { "time": "2026-04-15T13:42:11.123456789Z", "auth": {} }, "destinationAttributes": {} }, "serviceName": "cloudresourcemanager.googleapis.com", "methodName": "SetIamPolicy", "authorizationInfo": [ { "resource": "projects/fantasticlogs-prod", "permission": "resourcemanager.projects.setIamPolicy", "granted": true, "resourceAttributes": {} } ], "resourceName": "projects/fantasticlogs-prod", "request": { "@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest", "resource": "projects/fantasticlogs-prod", "policy": { "bindings": [ { "role": "roles/owner", "members": [ "user:draco@fantasticlogs.cloud" ] } ], "etag": "BwSAMPLEetag001=" }, "updateMask": "bindings,etag" }, "response": { "@type": "type.googleapis.com/google.iam.v1.Policy", "bindings": [ { "role": "roles/owner", "members": [ "user:hermione@fantasticlogs.cloud", "user:draco@fantasticlogs.cloud" ] }, { "role": "roles/editor", "members": [ "serviceAccount:555123456789-compute@developer.gserviceaccount.com" ] }, { "role": "roles/iam.serviceAccountUser", "members": [ "serviceAccount:occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com" ] } ], "etag": "BwSAMPLEetag010=" } }, "insertId": "evt0000000001", "resource": { "type": "project", "labels": { "project_id": "fantasticlogs-prod" } }, "timestamp": "2026-04-15T13:42:11.123456789Z", "severity": "NOTICE", "receiveTimestamp": "2026-04-15T13:42:11.234567890Z"}MITRE ATT&CK Mapping
Tactics: Privilege Escalation Persistence
Techniques:
- T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
- T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...