To help keep Google Cloud systems and our customers safe, we work to
ensure that our products are used in the intended manner and that our platform
isn't misused or abused. As described in the
Cloud Privacy Notice
,
we work to protect against the violations defined in the
Terms of Service
and
Acceptable Use Policy
.
Google Cloud has a dedicated team of engineers and security experts who
work to protect our systems and customers. When Google becomes aware
of abusive activity, we notify affected customers and take measures to help
prevent future abuse. We strive to ensure that our interventions don't impact
your critical work. For more information, see
Project suspension guidelines
.
This document describes what you can do if you receive a notification about
abuse or misuse from us.
Respond to an abuse notification
If you receive an abuse notification or warning, you must promptly address or
remedy any violations that are noted in the notification and review the
Terms of Service and Acceptable Use Policy.
You can check your
Google Cloud abuse logs
and troubleshoot your environment using the diagnostic tools that are part of
Google Cloud (such as Security Command Center).
The following table includes examples which describe how to remediate and
respond to issues that might have caused an alert.
Example issue
|
Description
|
Potentially compromised service account credentials
|
An alert for detected leaked credentials indicates that your
organization might have inadvertently published the specified service
account credentials in public repositories or websites.
To resolve this issue, complete the following:
- In the Google Cloud console, review the activity on your account.
Go to Dashboard
- Revoke all credentials for the compromised service accounts. Rotate
all credentials in the affected projects because every resource that is
accessible to the service account might have been affected. For instructions,
see
Handling compromised
Google Cloud credentials
.
- Delete all unauthorized VMs or
resources.
- Verify that your service account credentials are not
embedded in public repositories, stored in download directories, or
unintentionally shared in other ways.
To help protect your
organization against compromised credentials, see
Best
practices to avoid compromised credentials
.
|
Potentially compromised API keys
|
An alert for detected compromised API keys indicates
that your organization might have inadvertently published the
affected API key in public repositories or websites.
To resolve this issue, complete the following:
- If this key is supposed to be public:
- In the Google Cloud console, review the API and billing
activity on your account. Verify that the usage and billing are what you
expect.
Go to Dashboard
- If applicable, add
API key
restrictions
to your API key.
- If this key isn't supposed to be public:
- In the Google Cloud console, generate a new API key. For
instructions, see
Regenerate API keys
.
- Verify that your API keys are not embedded in public repositories, stored
in download directories, or unintentionally shared in other ways.
- If
applicable, add
API key
restrictions
to your API key.
- If you're using Google Maps APIs, see
Google Maps Platform security guidance
.
To help protect your organization against compromised credentials,
see
Best practices to avoid compromised
credentials
.
|
Cryptomining
|
This alert indicates that a project is engaged in cryptocurrency
mining. This issue is usually preceded by a compromise, such as a leaked
service account credential, that grants a bad actor access to your
cloud project.
To resolve this issue, complete the following:
- In the Google Cloud console, review the project's activity.
Go to Logs Explorer
- Terminate any unauthorized cryptomining activity and take measures
to secure your account and any affected projects.
- If you have suspended resources, you can
submit an appeal
to regain access.
To help protect your organization against cryptocurrency mining
attacks, see
Best practices for protecting against
cryptocurrency mining attacks
.
|
Malware or unwanted software
| This alert indicates that
your organization includes a project that
hosts, distributes, or facilitates distribution of
malware,
unwanted software, or viruses
.
To resolve this issue, complete the
following:
- Remove any malicious content and mechanisms from your
projects.
Go to Logs Explorer
- Verify that your project wasn't compromised by checking its usage and
logs.
- If necessary,
shut
down (delete) your project
.
- To regain access to your suspended
resources,
submit an appeal
.
To help
protect your organization against malware or unwanted software, see
Best practices for
mitigating ransomware attacks using Google Cloud
.
If your site
has a red browser warning, it was identified by Google's
Safe Browsing program
as malicious.
Safe Browsing operates separately from Google Cloud. You can
submit
a review request
for the page using the Search Console. For more
information, see
Google Search
Console
, and
Get
started with Search Console
.
|
Phishing
|
This alert indicates that
phishing
or deceptive social engineering
content was published from your Google Cloud
project. Hackers might try to take control of your site and use it to host
deceptive content.
To resolve this issue, complete the following:
- Remove any phishing content and mechanisms from your projects.
- Verify that your project wasn't compromised by checking its usage and logs.
- If necessary,
shut
down (delete) your project
.
- To regain access to your suspended
resources,
submit an appeal
.
If your
site has a red browser warning, it was identified by Google's
Safe Browsing program
as malicious.
Safe Browsing operates separately from Google Cloud. You can
submit
a review request
for the page using the Search Console. For more
information, see
Google Search
Console
, and
Get
started with Search Console
.
|
If you cannot resolve the issue on your own, and you have a
Cloud Customer Care
package
, contact
Customer Care
.
You can also consult the
Google Cloud Community
Forum
to help resolve issues.
Submit an appeal
You can submit an appeal to Google Cloud after you receive a warning or
suspension notification and complete the remediation steps so that you can
restore access to services.
To submit an appeal, in the Google Cloud console, select the project and
access the
Appeals
page for the project. Ensure that your response includes
the following:
- What caused the issue.
- The steps that you've taken to resolve the issue.
- Whether the behavior was intentional.
- Your
billing account ID
.
- Whether your project was compromised.
If you see an error message telling you that you don't have sufficient
permission to access the page, verify that you're logged in as the project owner
and have the
appropriate IAM permissions to edit the project
.
If you're logged into multiple accounts, log out of all other accounts and try
logging in again.
After you submit your appeal, Google Cloud reviews your appeal and
responds back with a resolution and final disposition.
Report suspected abuse
If you believe that your Google Cloud services are being abused, report
it immediately to
Google Cloud Customer Care
.
To report an issue that isn't related to your services, use the
Report suspected abuse on Google Cloud
form.
Best practices to help protect yourself from abuse
To help protect yourself from abuse on Google Cloud, consider the
following:
Use strong passwords and enable two-factor authentication for your
Google Cloud accounts. For more information, see
Manage identity and access
.
Be careful about which third-party applications are granted access to
your Google Cloud resources, and the authentication method they use.
For more information about securing applications, see
Use IAM securely
and
Authentication methods at Google
.
Monitor third-party software to help ensure that your project doesn't
become compromised by vulnerabilities in third-party software you have
installed. For more information on security best practices, see the
Securing instances
section of the Cloud Security FAQ.
If your primary business is to host third-party content or services or
facilitate the sale of goods and services between third parties, enforce
compliance with the Google Cloud Acceptable Use Policy. Implement the
following:
- Publish policies that define what content is prohibited on your
platform.
- Maintain a reporting intake process (for example, a webform or
email alias) to receive notices of illegal or abusive content (in
addition to a monitored communication channel for Google).
- Promptly review and address any alerts, and remove content where
appropriate.
Implement logging and detective controls
and
monitor your Google Cloud logs
for suspicious activity. For more information, see the following:
Use
Security Command Center
to help identify vulnerabilities in your environment and remediate them.
Monitor the relevant Essential Contacts email addresses for your
projects so that you know as soon as your project is warned. Make sure that
email messages from
google-cloud-compliance@google.com
don't go to a spam
folder.