This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
All privileges over a AlloyDB for PostgreSQL database (or all functions or procedures in a database) were granted to one or more database users.
Event Threat Detection is the source of this finding.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
- Open the
Privilege Escalation: AlloyDB Over-Privileged Grantfinding, as directed in Reviewing findings. On the Summary tab of the finding details panel, review the information in the following sections:
- What was detected, especially the following fields:
- Database display name: the name of the database in the AlloyDB for PostgreSQL instance that was affected.
- Database user name: the PostgreSQL user who granted excess privileges.
- Database query: the PostgreSQL query executed that granted the privileges.
- Database grantees: the grantees of the overbroad privileges.
- Affected resource, especially the following fields:
- Resource full name: the resource name of the AlloyDB for PostgreSQL instance that was affected.
- Parent full name: the resource name of the AlloyDB for PostgreSQL instance.
- Project full name: the Google Cloud project that contains the AlloyDB for PostgreSQL instance.
- Related links, especially the following fields:
- Cloud Logging URI: link to Logging entries.
- MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
- What was detected, especially the following fields:
To see the complete JSON for the finding, click the JSON tab.
Step 2: Review database privileges
- Connect to the AlloyDB for PostgreSQL instance.
- List and show access privileges
for the following:
- Databases. Use the
\lor\listmetacommand and check what privileges are assigned for the database listed in Database display name (from Step 1). - Functions or procedures. Use the
\dfmetacommand and check what privileges are assigned for functions or procedures in the database listed in Database display name (from Step 1).
- Databases. Use the
Step 3: Check logs
- In the Google Cloud console, go to Logs Explorer by clicking the link in Cloud Logging URI (from Step 1). The Logs Explorer page includes all logs related to the relevant Cloud SQL instance.
- In the Logs explorer, check the PostgreSQL
pgauditlogs, which record executed queries to the database, by using the following filters:protoPayload.request.database="var class="edit">database"
Step 4: Research attack and response methods
- Review the MITRE ATT&CK framework entry for this finding type: Exfiltration Over Web Service.
- To determine if additional remediation steps are necessary, combine your investigation results with MITRE research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
- Contact the owner of the instance with overprivileged grants.
- Consider revoking all permissions for the grantees that are listed in Database grantees until the investigation is completed.
- To limit access to the database (from Database display name of Step 1), revoke unnecessary permissions from the grantees (from Database grantees of Step 1).
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.