Testing Sensitive Actions Service

Stay organized with collections Save and categorize content based on your preferences.

Verify that Sensitive Actions Service is working by intentionally triggering the Persistence: project SSH key added detector and checking for findings.

To learn more about the Sensitive Actions Service service, see Sensitive Actions Service overview.

Before you begin

To complete this guide, you must have an Identity and Access Management (IAM) role with the compute.projects.setCommonInstanceMetadata and iam.serviceAccounts.actAs permissions in the project where you will perform the test, such as the Compute Admin role (roles/compute.admin).

Testing Sensitive Actions Service

To test Sensitive Actions Service, you add a project-level SSH key, which may grant SSH key access to all instances in the project.

This detector doesn't generate a finding if there is already a project-level SSH key set on the project. Choose a project that doesn't already have any project-level SSH keys.

Step 1: Triggering a Sensitive Actions Service detector

To trigger the detector, you need a test user account. You can create a test user account with a gmail.com email address or use an existing user account in your organization. You add the test user account to your organization and grant it excessive permissions.

For more instructions on how to add the project-level SSH key, see Add SSH keys to project metadata. For instructions on how to generate an SSH key, see Create SSH keys.

  1. Go to the Compute Engine Metadata page in the Google Cloud console.

    Go to Metadata

  2. Click the SSH Keys tab.

  3. Verify that there aren't currently any SSH keys set on the project. If SSH keys are set, you will see the existing keys in a table, and the test won't work. Choose a project that doesn't have any existing project-level SSH keys for the test.

  4. Click Add SSH Key.

  5. Add a public key into the text box. For more details on how to generate an SSH key, see Create SSH keys.

  6. Click Save.

Next, verify that the Persistence: project SSH key added detector has written findings.

Step 2: Viewing the finding in Security Command Center

To review Sensitive Actions Service findings in Security Command Center, click the following tab that corresponds to the Findings view that you are using in the Security Command Center dashboard:

Preview view

The following steps are specific to the improved Findings page, which is a feature that is currently in Preview.

  1. Go to the Findings tab on the Security Command Center page in the Google Cloud console.

    Go to Findings

  2. Under Quick filters, scroll down to Source display name and click Sensitive Actions Service. The Finding query results update to show only findings that were produced by the Sensitive Actions Service.

  3. To view the details of a specific finding, click the finding name under Category. The finding details panel opens.

    • To view a summary of the finding details, which is the default view, under the finding name, click Summary.
    • To view the full details of the finding, under the finding name, click JSON.

Legacy view

  1. Go to the Findings tab on the Security Command Center page in the Google Cloud console.

    Go to Findings

  2. Next to View by, click Source Type.

  3. In the Source type list, select Sensitive Actions Service. A table populates with findings for the source type you selected.

  4. To view details about a specific finding, click the finding name under Category. The finding details panel expands to display key information, including the following.

    • Attributes
      • category: the finding name
      • resourceName: the resource name of the project
      • severity: the severity of the finding; all Sensitive Actions Service findings are rated Critical
    • sourceProperties
      • address: the external IP address of the VM
      • port: the port for the service or application
      • transferProtocol: the transfer protocol (TCP, FTP, and HTTPS, among others)
      • resourceName: the resource name of the scan target or service

Step 3: Viewing the finding in Cloud Logging

You can view sensitive action log entries by using Cloud Logging.

  1. Go to Logs Explorer in the Google Cloud console.

    Go to Logs Explorer

  2. If required, change to the organization view by using the Organization selector at the top of the page.

  3. Click the Query builder tab.

  4. In the Resource drop-down list, select sensitiveaction.googleapis.com/Location".

  5. Click Run Query. The Query results table is updated with the logs you selected.

  6. To view a log, click a table row, and then click Expand nested fields.

Clean up

When you're finished testing, remove the project-level SSH key.

  1. Go to the Compute Engine Metadata page in the Google Cloud console.

    Go to Metadata

  2. Click Edit.

  3. Click Delete item next to the SSH key.

  4. Click Save.

What's next