Explanation:
Detects events where a key is created for a dormant user-managed service account. In this context, a service account is considered dormant if it has been inactive for more than 180 days.
Resolution:
Further investigation is required to see which action to be performed.
The GCP Security team will need to evaluate based on the actions below:
| Actions | Follow up | ||
|---|---|---|---|
Check if this finding is introduced because of the Google Service Account Key rotation activity. To check, go to the logs and look for a pair of actions:
| If not rotation - Inform application owner If rotated - Don't have to inform application owner. | ||
Open the Initial Access: Dormant Service Account Action finding, as directed in Reviewing findings. Under What was detected:
Check with the application owner that the service account in the Principal email field whether the legitimate owner conducted the action.
| If not exception - Inform application owner Exception case - Don't have to inform application owner. |
See the table below for recommended action after investigation.
| Yes / No | Action |
|---|---|
| Inform application owner. | Inform the owner about the activity and update the JIRA ticket's rememdiation action to be "Owner is being informed" and closed the ticket. |
| Don't have to inform application owner. | Update the JIRA ticket's rememdiation action to be "False positive. Service account key creation is valid." and closed the ticket. |
The best way to get IT support is to use the new
Service One Platform.