Skip to main content

Cloud Credentials Rotation - GCP

This Playbook is part of the GCP Enrichment and Remediation Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

GCP Credentials Rotation Playbook#

IAM Remediation#

For compromised service accounts:

  • Access Key Disabling: Immediately disable the compromised service account access key.

  • New Key Generation: After ensuring the old key is disabled, generate a new access key.

GSuite Admin Remediation#

Admin accounts are crucial:

  • Reset Password: Resets the user password to halt any unauthorized access.

  • Revoke Access Token: Revoke any suspicious or unauthorized access tokens.

  • Combo Action: Reset the password and revoke access tokens to ensure complete safety.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • GSuiteAdmin


  • GeneratePassword
  • Set


  • gsuite-user-update
  • gcp-iam-service-account-key-create
  • gcp-compute-list-instances
  • gsuite-token-revoke
  • gcp-iam-service-accounts-get
  • gcp-iam-service-account-keys-get
  • gcp-iam-service-account-key-disable

Playbook Inputs#

NameDescriptionDefault ValueRequired
GSuiteRemediationTypeThe response playbook provides the following remediation actions using GSuite Admin:

Reset: By entering "Reset" in the input, the playbook will execute password reset.

Revoke: By entering "Revoke" in the input, the playbook will execute access key suspension. (Both the user and client IDs must be provided)

ALL: By entering "ALL" in the input, the playbook will execute the password reset and revoke access key tasks.
userIDIdentifies the user in the API request. The value can be the user's primary email address, alias email address, or unique user ID.Optional
clientIDThe client ID.Optional
zoneThe name of the zone.Optional
serviceAccountEmailThe service account email.Optional
identityTypeThe type of identity involved. Usually mapped to the incident field named 'cloudidentitytype'.
cloudProjectThe relevant project that the alert relates to.Optional

Playbook Outputs#

GoogleCloudCompute.InstancesGoogle Cloud Compute instance information.unknown
GCPIAM.ServiceAccountKeyThe service account keys.unknown
GCPIAM.ServiceAccountThe service account information.unknown

Playbook Image#

Cloud Credentials Rotation - GCP