Skip to content

add-iam-policy-binding

GCP

add-iam-policy-binding

service: GCP - IAM
techniques:

Event

Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.

Security Context

  • Adversaries attach overly permissive policies to maintain persistent, elevated access even after initial credentials are rotated.
  • Abusing elevation control mechanisms allows adversaries to bypass intended access restrictions and operate with higher privileges.

Log Source

Cloud Audit Logs

Sample Event

Draco grants his own user roles/owner on the production project — a textbook persistence/privilege-escalation pattern. Note the external source IP and the response.bindings reflecting the policy after the change.

{
"logName": "projects/fantasticlogs-prod/logs/cloudaudit.googleapis.com%2Factivity",
"protoPayload": {
"@type": "type.googleapis.com/google.cloud.audit.AuditLog",
"authenticationInfo": {
"principalEmail": "draco@fantasticlogs.cloud"
},
"requestMetadata": {
"callerIp": "203.0.113.66",
"callerSuppliedUserAgent": "google-cloud-sdk gcloud/465.0.0 command/gcloud.projects.add-iam-policy-binding invocation-id/90000000000000000000000000000001 environment/None environment-version/None client-os/LINUX client-os-ver/(5,15,0) client-pltf-arch/x86_64 interactive/False from-script/False python/3.11.6 term/xterm-256color (Linux 5.15.0-1052-aws)",
"requestAttributes": {
"time": "2026-04-15T13:42:11.123456789Z",
"auth": {}
},
"destinationAttributes": {}
},
"serviceName": "cloudresourcemanager.googleapis.com",
"methodName": "SetIamPolicy",
"authorizationInfo": [
{
"resource": "projects/fantasticlogs-prod",
"permission": "resourcemanager.projects.setIamPolicy",
"granted": true,
"resourceAttributes": {}
}
],
"resourceName": "projects/fantasticlogs-prod",
"request": {
"@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest",
"resource": "projects/fantasticlogs-prod",
"policy": {
"bindings": [
{
"role": "roles/owner",
"members": [
"user:draco@fantasticlogs.cloud"
]
}
],
"etag": "BwSAMPLEetag001="
},
"updateMask": "bindings,etag"
},
"response": {
"@type": "type.googleapis.com/google.iam.v1.Policy",
"bindings": [
{
"role": "roles/owner",
"members": [
"user:hermione@fantasticlogs.cloud",
"user:draco@fantasticlogs.cloud"
]
},
{
"role": "roles/editor",
"members": [
"serviceAccount:555123456789-compute@developer.gserviceaccount.com"
]
},
{
"role": "roles/iam.serviceAccountUser",
"members": [
"serviceAccount:occamy-pipeline@fantasticlogs-prod.iam.gserviceaccount.com"
]
}
],
"etag": "BwSAMPLEetag010="
}
},
"insertId": "evt0000000001",
"resource": {
"type": "project",
"labels": {
"project_id": "fantasticlogs-prod"
}
},
"timestamp": "2026-04-15T13:42:11.123456789Z",
"severity": "NOTICE",
"receiveTimestamp": "2026-04-15T13:42:11.234567890Z"
}

MITRE ATT&CK Mapping

Tactics: Privilege Escalation Persistence

Techniques:
  • T1098 — Account Manipulation — Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include accoun...
  • T1548 — Abuse Elevation Control Mechanism — Adversaries may circumvent mechanisms designed to control privilege elevation to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific u...