Testing Sensitive Actions Service

Stay organized with collections Save and categorize content based on your preferences.

Verify that Sensitive Actions Service is working by intentionally triggering the Add Sensitive Role detector and checking for findings.

To learn more about the Sensitive Actions Service service, see Sensitive Actions Service overview.

Before you begin

To complete this guide, you must have an Identity and Access Management (IAM) role with the resourcemanager.organizations.setIamPolicy permission, such as the Organization Admin role (roles/resourcemanager.organizationAdmin).

Testing Sensitive Actions Service

To test Sensitive Actions Service, you add a test user account to your organization, grant it the Editor role, which contains excessive permissions, and then view the Add Sensitive Role finding in the Security Command Center dashboard and in Cloud Logging. After you confirm the finding, delete the test user or remove the Organization Admin role from the test user account.

Step 1: Triggering a Sensitive Actions Service detector

To trigger the detector, you need a test user account. You can create a test user account with a gmail.com email address or use an existing user account in your organization. You add the test user account to your organization and grant it excessive permissions.

  1. Go to the IAM & Admin page in the Google Cloud console.

    Go to the IAM & Admin page

  2. Using the selector at the top of the page, select the organization in which you are testing Sensitive Actions Service detection.

  3. On the IAM & Admin page, click Grant access.

  4. On the Add principals pane, in the New principals field, enter the test user's email address.

  5. Click the Role field under Assign roles. The Filter dialog opens.

  6. From displayed Filter options, select Basic > Editor.

  7. Click Save.

Next, verify that the Add Sensitive Role detector has written findings.

Step 2: Viewing the finding in Security Command Center

To review Sensitive Actions Service findings in Security Command Center, click the following tab that corresponds to the Findings view that you are using in the Google Cloud console:

Preview findings display

The following steps are specific to the improved Findings page, which is a feature that is currently in Preview.

  1. Go to the Findings tab on the Security Command Center page in the Google Cloud console.

    Go to Findings

  2. Under Quick filters, scroll down to Source display name and click Sensitive Actions Service. The Finding query results update to show only findings that were produced by the Sensitive Actions Service.

  3. To view the details of a specific finding, click the finding name under Category. The finding details panel opens.

    • To view a summary of the finding details, which is the default view, under the finding name, click Summary.
    • To view the full details of the finding, under the finding name, click JSON.

Legacy findings display

  1. Go to the Findings tab on the Security Command Center page in the Google Cloud console.

    Go to Findings

  2. Next to View by, click Source Type.

  3. In the Source type list, select Sensitive Actions Service. A table populates with findings for the source type you selected.

  4. To view details about a specific finding, click the finding name under Category. The finding details panel expands to display key information, including the following.

    • Attributes
      • category: the finding name
      • resourceName: the resource name of the project
      • severity: the severity of the finding; all Sensitive Actions Service findings are rated Critical
    • sourceProperties
      • address: the external IP address of the VM
      • port: the port for the service or application
      • transferProtocol: the transfer protocol (TCP, FTP, and HTTPS, among others)
      • resourceName: the resource name of the scan target or service

Step 3: Viewing the finding in Cloud Logging

You can view sensitive action log entries by using Cloud Logging.

  1. Go to Logs Explorer in the Google Cloud console.

    Go to Logs Explorer

  2. If required, change to the organization view by using the Organization selector at the top of the page.

  3. Click the Query builder tab.

  4. In the Resource drop-down list, select sensitiveaction.googleapis.com/Location".

  5. Click Run Query. The Query results table is updated with the logs you selected.

  6. To view a log, click a table row, and then click Expand nested fields.

Clean up

When you're finished testing, remove the test user from the organization.

  1. Go to the IAM & Admin page in the Google Cloud console.

    Go to IAM & Admin

  2. Using the selector at the top of the page, select the organization in which you tested Sensitive Actions Service detection.

  3. In the list of principals under Permissions > View by principals, select the test user account.

  4. Remove either the Editor role from the test user account or delete the test user account completely.

    • To remove the Editor role from the test user account:
      1. To the right on row of the test user account, click the edit icon, . The Edit permissions panel that appears.
      2. To the right of the Editor role, click the delete icon, .
    • To delete the user account completely:
      1. Select the test user account.
      2. At the top of the IAM page, click Remove access. A confirmation dialog appears.
      3. Click Confirm.

What's next