GCP Access Audit: Detecting Unauthorized Access by Terminated Employee

Detecting Unauthorized Access by Terminated Employee

Question

An employee was terminated, but their access to Google Cloud Platform (GCP) was not removed until 2 weeks later.

You need to find out this employee accessed any sensitive customer information after their termination.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

In this scenario, a terminated employee's access to Google Cloud Platform (GCP) was not removed for 2 weeks. To ensure that the employee did not access any sensitive customer information during this period, the logs need to be checked for any unauthorized access.

The correct answer is option C: View Data Access audit logs in Stackdriver. Search for the user's email as the principal.

Explanation:

Data Access audit logs in Stackdriver provide a record of all operations that read or modify user data within GCP services. These logs include information about the user, the service, and the data that was accessed or modified. Therefore, checking these logs will help to determine if the terminated employee accessed any sensitive customer information after their termination.

The user's email address is the principal entity that identifies the user in GCP. Therefore, searching for the user's email as the principal in the Data Access audit logs will help to identify any data accessed or modified by the terminated employee.

Option A, viewing System Event Logs in Stackdriver and searching for the user's email as the principal, is incorrect because System Event Logs record system-level events, such as API requests, errors, and resource changes. These logs do not provide information about data accessed or modified by a user.

Option B, viewing System Event Logs in Stackdriver and searching for the service account associated with the user, is also incorrect because service accounts are not directly associated with users. Service accounts are used to access resources in GCP, such as virtual machines or APIs, and are associated with roles and permissions rather than users.

Option D, viewing the Admin Activity log in Stackdriver and searching for the service account associated with the user, is incorrect for the same reason as option B. The Admin Activity log records administrative actions, such as creating, deleting, or modifying resources, but it does not provide information about data accessed or modified by a user.

In summary, to determine if a terminated employee accessed sensitive customer information after their termination, you should view the Data Access audit logs in Stackdriver and search for the user's email as the principal.