Respond to abuse notifications and warnings in Google Cloud

To help keep Google Cloud systems and our customers safe, we work to ensure that our products are used in the intended manner and that our platform isn't misused or abused. As described in the Cloud Privacy Notice, we work to protect against the violations defined in the Terms of Service and Acceptable Use Policy.

Examples of abuse or misuse include the following issues:

  • Potentially compromised service account credentials
  • Potentially compromised API keys
  • Cryptocurrency alerting
  • Malware or unwanted software
  • Phishing

Google Cloud has a dedicated team of engineers and security experts who work to protect our systems and customers. When Google becomes aware of abusive activity, we notify affected customers and take measures to help prevent future abuse. We strive to ensure that our interventions don't impact your critical work. For more information, see Project suspension guidelines.

This page describes what you can do if you receive a notification about abuse or misuse from us.

Respond to an abuse notification

If you receive an abuse notification or warning, you must promptly address or remedy any violations that are noted in the notification and review the Terms of Service and Acceptable Use Policy.

You can check your Google Cloud abuse logs and troubleshoot your environment using the diagnostic tools that are part of Google Cloud (such as Security Command Center).

Example issues and responses

This section includes examples that describe how to remediate and respond to issues that might have caused an alert. If you cannot resolve the issue on your own, and you have a Cloud Customer Care package, contact Customer Care. You can also consult the Google Cloud Community Forum to help resolve issues.

Potentially compromised service account credentials

An alert for detected leaked credentials indicates that your organization might have inadvertently published the specified service account credentials in public repositories or websites.

To resolve this issue, complete the following steps:

  1. In the Google Cloud console, review the activity on your account.

    Go to Dashboard

  2. Revoke all credentials for the compromised service accounts. Rotate all credentials in the affected projects because every resource that is accessible to the service account might have been affected. For instructions, see Handling compromised Google Cloud credentials.

  3. Delete all unauthorized VMs or resources.

  4. Verify that your service account credentials are not embedded in public repositories, stored in download directories, or unintentionally shared in other ways.

To help protect your organization against compromised credentials, see Best practices to avoid compromised credentials.

Potentially compromised API keys

An alert for detected compromised API keys indicates that your organization might have inadvertently published the affected API key in public repositories or websites.

To resolve this issue, complete the following steps:

  1. If this key is supposed to be public, complete the following steps:

    1. In the Google Cloud console, review the API and billing activity on your account. Verify that the usage and billing are what you expect.

      Go to Dashboard

    2. If applicable, add API key restrictions to your API key.

  2. If this key isn't supposed to be public, complete the following steps:

    1. In the Google Cloud console, generate a new API key. For instructions, see Regenerate API keys
    2. Verify that your API keys are not embedded in public repositories, stored in download directories, or unintentionally shared in other ways.
    3. If applicable, add API key restrictions to your API key.
    4. If you're using Google Maps APIs, see Google Maps Platform security guidance.

To help protect your organization against compromised credentials, see Best practices to avoid compromised credentials.

Cryptocurrency mining

This alert indicates that a project is engaged in cryptocurrency mining. This issue is usually preceded by a compromise, such as a leaked service account credential, that grants a bad actor access to your Google Cloud project.

To resolve this issue, complete the following steps:

  1. In the Google Cloud console, review the project's activity.

    Go to Logs Explorer

  2. Terminate any unauthorized cryptomining activity and take measures to secure your account and any affected projects.

  3. If you have suspended resources, you can submit an appeal to regain access.

To help protect your organization against cryptocurrency mining attacks, see Best practices for protecting against cryptocurrency mining attacks.

Malware or unwanted software

This alert indicates that your organization includes a project that hosts, distributes, or facilitates distribution of malware, unwanted software, or viruses. To resolve this issue, complete the following steps:

  1. Remove any malicious content and mechanisms from your projects.

    Go to Logs Explorer

  2. Verify that your project wasn't compromised by checking its usage and logs.

  3. If necessary, shut down (delete) your project.

  4. To regain access to your suspended resources, submit an appeal.

To help protect your organization against malware or unwanted software, see Best practices for mitigating ransomware attacks.

If your site has a red browser warning, it was identified by Google's Safe Browsing program as malicious. Safe Browsing operates separately from Google Cloud. You can submit a review request for the page using the Search Console. For more information, see Google Search Console and Get started with Search Console.

Phishing

This alert indicates that phishing or deceptive social engineering content was published from your Google Cloud project. Hackers might try to take control of your site and use it to host deceptive content.

To resolve this issue, complete the following steps:

  1. Remove any phishing content and mechanisms from your projects.
  2. Verify that your project wasn't compromised by checking its usage and logs.
  3. If necessary, shut down (delete) your project.
  4. To regain access to your suspended resources, submit an appeal.

If your site has a red browser warning, it was identified by Google's Safe Browsing program as malicious. Safe Browsing operates separately from Google Cloud. You can submit a review request for the page using the Search Console. For more information, see Google Search Console and Get started with Search Console.

Submit an appeal

You can submit an appeal to Google Cloud after you receive a warning or suspension notification and complete the remediation steps so that you can restore access to services.

To submit an appeal, in the Google Cloud console, select the project and access the Appeals page for the project. Ensure that your response includes the following:

  • What caused the issue.
  • The steps that you've taken to resolve the issue.
  • Whether the behavior was intentional.
  • Your billing account ID.
  • Whether your project was compromised.

If you see an error message telling you that you don't have sufficient permission to access the page, verify that you're logged in as the project owner and have the appropriate IAM permissions to edit the project. If you're logged into multiple accounts, log out of all other accounts and try logging in again.

After you submit your appeal, Google Cloud reviews your appeal and responds back with a resolution and final disposition.

Report suspected abuse

If you believe that your Google Cloud services are being abused, report it immediately to Google Cloud Customer Care. To report an issue that isn't related to your services, use the Report suspected abuse on Google Cloud form.

Best practices to help protect yourself from abuse

To help protect yourself from abuse on Google Cloud, consider the following:

  • Use strong passwords and enable two-factor authentication for your Google Cloud accounts. For more information, see Manage identity and access.

  • Be careful about which third-party applications are granted access to your Google Cloud resources, and the authentication method they use. For more information about securing applications, see Use IAM securely and Authentication methods at Google.

  • Monitor third-party software to help ensure that your project doesn't become compromised by vulnerabilities in third-party software you have installed. For more information on security best practices, see the Securing instances section of the Cloud Security FAQ.

  • If your primary business is to host third-party content or services or facilitate the sale of goods and services between third parties, enforce compliance with the Google Cloud Acceptable Use Policy. Implement the following:

    • Publish policies that define what content is prohibited on your platform.
    • Maintain a reporting intake process (for example, a webform or email alias) to receive notices of illegal or abusive content (in addition to a monitored communication channel for Google).
    • Promptly review and address any alerts, and remove content where appropriate.

  • Implement logging and detective controls and monitor your Google Cloud logs for suspicious activity. For more information, see the following:

  • Use Security Command Center to help identify vulnerabilities in your environment and remediate them.

  • Monitor the relevant Essential Contacts email addresses for your projects so that you know as soon as your project is warned. Make sure that email messages from google-cloud-compliance@google.com don't go to a spam folder.