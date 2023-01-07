



Google Cloud announced a preview of the Sensitive Actions Service. This is a premium security feature for identifying potentially dangerous behavior on the cloud. This service detects when actions have been taken in your GCP organization that could be damaging if performed by a malicious actor.

The Sensitive Actions Service creates findings and log entries when it detects potentially harmful actions. Findings are categorized as observations and can be viewed in the Security Command Center dashboard. Among possible outcomes, the service detects when the organization-level Billing Administrator IAM role is deleted, or when many instances are created or deleted by the same principal in a single day. Each display name begins with the MITER ATT&CK tactic. For example, “Persistence: Project SSH key added” or “Impact: Many instances created”.

Google Senior Product Manager Timothy Peacock and Google Software Engineer Rosemary McCloskey wrote:

At Google Cloud, we operate in a shared fate model, working with our customers to help them achieve stronger security outcomes. One of the ways we do this is by identifying potentially dangerous behavior so that you can decide if the behavior is appropriate. To this end, we are providing insight into what we call Sensitive Actions.

Cloud providers define the shared fate model as an evolution of the shared responsibility model to make deployments more secure, moving away from checklists and toward a continuous interaction approach. This model includes secure configurations by default, secure blueprints and policy hierarchies, and consistent availability of advanced security features. Forrest Brazeal, Head of Developer Media at Google Cloud, tweeted:

Sensitive Actions is a discreet Google Cloud launch that I really like. I love seeing these alerts appear on by default for account actions with a high factor I would call ‘hmm’.

Google Cloud has released documentation on how to research and create a threat response plan. Peacock and McCloskey add:

Sensitive Actions is a service enabled by default for cloud customers to ensure that adversaries do not have a mechanism to defeat this protection or hide logs from users. If you apply certain privacy controls or policy restrictions to your logging pipeline, your logs will not be analyzed by this service.

Cloud providers warn:

In most cases, the detected action (…) does not represent a threat as it is performed by legitimate users for legitimate purposes. However, the Sensitive Actions Service cannot conclusively determine legitimacy.

This new service, currently in preview, is only available in the Premium tier of Security Command Center and cannot be disabled. Additionally, sensitive actions cannot be detected in environments protected by Assured Workloads.

