Log Analysis PBQs: Professional Cloud Security Engineer
easyQuestion 1 of 3
You are a Google Cloud Security Engineer conducting a weekly IAM audit. An automated policy scanner flagged an unexpected IAM role assignment: a project-level Owner role was granted to an external service account outside the scheduled change management window. Review the Cloud Audit Log events, flag all entries related to the suspicious IAM change, and classify the incident.
Objectives
- •Review the Cloud Audit Log for unauthorized IAM role assignments
- •Flag all entries related to the over-permissive IAM change and subsequent unauthorized access by the external account
- •Classify the type of security incident
- •Identify the user who made the unauthorized IAM change
- •Recommend the most appropriate immediate response action
Security Event Log
| Flag | Time | Severity | Source | Message |
|---|---|---|---|---|
| 07:00:00 | INFO | audit-log | GCP Audit: admin@certnova.com called compute.instances.list in us-central1 -- routine morning review | |
| 07:05:00 | INFO | system | GCP Monitoring: all health checks passing for proj-certnova production services | |
| 07:30:00 | ALERT | audit-log | GCP Audit: dev-lead@certnova.com called projects.setIamPolicy on proj-certnova -- ADDED roles/owner for ext-contractor@partner-org.iam.gserviceaccount.com | |
| 07:30:15 | WARN | audit-log | IAM Policy Scanner: roles/owner granted to external service account ext-contractor@partner-org.iam.gserviceaccount.com -- violates least privilege policy (project-level Owner is highest privilege) | |
| 07:31:00 | WARN | audit-log | Change Management: IAM modification by dev-lead@certnova.com occurred at 07:30 UTC -- outside approved change window (Tue/Thu 14:00-16:00 UTC) | |
| 07:32:00 | INFO | audit-log | GCP Audit: developer05@certnova.com called cloudfunctions.functions.get in us-central1 -- routine development query | |
| 07:35:00 | WARN | audit-log | GCP Audit: ext-contractor@partner-org.iam.gserviceaccount.com called storage.buckets.list on proj-certnova from 203.0.113.150 -- first-ever access by this account | |
| 07:36:00 | INFO | web | 200 GET /api/health from 10.128.0.2 (internal health probe) | |
| 07:37:00 | WARN | audit-log | GCP Audit: ext-contractor@partner-org.iam.gserviceaccount.com called compute.instances.list from 203.0.113.150 -- enumerating all GCE instances in proj-certnova | |
| 07:38:00 | INFO | system | GCP Cloud Scheduler: daily-report-generation triggered successfully | |
| 07:40:00 | INFO | audit-log | GCP Audit: svc-monitoring@proj-certnova.iam.gserviceaccount.com called monitoring.timeSeries.list -- routine metrics collection | |
| 07:45:00 | INFO | auth | Successful login: security-admin@certnova.com to GCP Console for weekly audit |
12 total entries. Click a row or use checkboxes to flag suspicious events.
Incident Analysis
Progress
0 of 8 items correctFlag suspicious entries and answer the incident questions
0 of 3 marked complete