iam.serviceAccountKeys.create
Event
Creates a new key for a GCP service account, generating credentials for external services to authenticate as the account.
Security Context
- Creating long-lived access keys or credentials provides persistent access that survives password resets and session revocations.
- Accessing credential stores is a high-priority adversary objective that can unlock access to additional services, accounts, and environments.
Log Source
Cloud Audit Logs
Sample Event
MITRE ATT&CK Mapping
Tactics: Persistence Credential Access
Techniques:
- T1098.001 — Additional Cloud Credentials — Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. For example, adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azu...