Google Cloud helps its customers to achieve the best security outcomes by identifying potentially risky behavior to determine if action is appropriate. This premium security is through providing insights into what is called Sensitive Actions. Google Cloud’s Sensitive Actions for Account Security is a defense-in-depth mechanism. Sensitive Action Service and account security focus on understanding IAM or user account behavior.

Working of Sensitive Actions Service

When the Sensitive Actions Service detects a sensitive action, it creates a finding and a log entry. Here, finding can view in the Security Command Center dashboard, and you can query the log entries in Cloud Logging. Some restrictions apply to Sensitive Actions Services are:

  • Detection of sensitive actions is limited to actions taken by user accounts.
  • Sensitive Actions Service cannot detect sensitive actions in environments with Assured Workload support.

Reviewing Sensitive Actions Service findings in Security Command Center

Step 1. Open Google Cloud Console and go to the Security Command Center Findings page.

Step 2. Click on Go to Findings.

Step 3. Select your Google Cloud project or organization as per the requirement.

Sensitive Actions Service and Account Security

Step 4. Under the Quick filters section, in the Source display name subsection, select Sensitive Actions Service.

Step 5. Click on the finding name under Category to view details of a specific finding. And it will display the following information.

  • What was the event
  • When the event happened
  • The source of the finding data
  • The detection severity
  • The actions taken
  • The user who took action is listed next to the Principal email

Step 6. To view all findings caused by the same user’s actions.

  1. Click on the finding name under Category, and copy the email address next to the Principal email.
  2. Close the pane.
  3. In the query builder, enter the following query:
    access.principal_email=”USER_EMAIL”

Where USER_EMAIL is the email address you copied before.

Viewing the log entries for sensitive actions in Cloud Logging

Step 1. Open Google Cloud Console and Go to Logs Explorer.

Step 2. Under the Project selector at the top of the page, select the project for which you want to see the Sensitive Actions Service log entries. Alternatively, to see log entries at the organization level, select the organization.

Step 3. Navigate to the Query text box, and enter the following resource definition: resource.type=”sensitiveaction.googleapis.com/Location”

Step 4. Click on Run Query, now the Query results table is updated with any matching log entries that were written within the time of your query.

Step 5. Now to view the details of a log entry, click a table row, then click Expand nested fields.

Conclusion

Sensitive Action Service and account security are achieved by monitoring your organization’s Admin Activity audit logs for sensitive actions. And Admin Activity audit logs are always on, which will make it easier for sensitive action detection. Sensitive Action Service identifies risky behaviors on the cloud.

If you are looking for premium security for your organization, Metclouds Technologies will help you to achieve this with Google Cloud’s Sensitive Action Service.