SlideShare a Scribd company logo

Exploiting IAM in GCP

Download as PPTX, PDF
Colin Estep
Colin Estep

Presentation from DEFCON 27.

Internet
1 of 32
Exploiting IAM in GCP
Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
IAM in GCP
Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
VPC Service Controls
What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
An Example Protecting: nsk-colin-child-bucket
Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
Service Account Deep Dive
What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
Default Service Account - Compute Engine Google advises against it:
Compute Engine Service Account Role Contains a primitive role: ● Project Editor
Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
GCP Demo
My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog

Recommended

Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
Mohit Kachhwani
 
Introduction to Google Cloud Services / Platforms
Introduction to Google Cloud Services / PlatformsIntroduction to Google Cloud Services / Platforms
Introduction to Google Cloud Services / Platforms
Nilanchal
 
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Edureka!
 
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Edureka!
 
Google Cloud Platform (GCP)
Google Cloud Platform (GCP)Google Cloud Platform (GCP)
Google Cloud Platform (GCP)
Chetan Sharma
 
Google Cloud Platform Introduction - 2016Q3
Google Cloud Platform Introduction - 2016Q3Google Cloud Platform Introduction - 2016Q3
Google Cloud Platform Introduction - 2016Q3
Simon Su
 
Google Cloud Platform - Service Glossary
Google Cloud Platform - Service GlossaryGoogle Cloud Platform - Service Glossary
Google Cloud Platform - Service Glossary
Joseph's Cloud Library
 
Cloud computing overview & Technical intro to Google Cloud
Cloud computing overview & Technical intro to Google CloudCloud computing overview & Technical intro to Google Cloud
Cloud computing overview & Technical intro to Google Cloud
wesley chun
 

Recommended

Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
Mohit Kachhwani
 
Introduction to Google Cloud Services / Platforms
Introduction to Google Cloud Services / PlatformsIntroduction to Google Cloud Services / Platforms
Introduction to Google Cloud Services / Platforms
Nilanchal
 
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Introduction to Google Cloud Platform (GCP) | Google Cloud Tutorial for Begin...
Edureka!
 
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Google Cloud Platform Training | Introduction To GCP | Google Cloud Platform ...
Edureka!
 
Google Cloud Platform (GCP)
Google Cloud Platform (GCP)Google Cloud Platform (GCP)
Google Cloud Platform (GCP)
Chetan Sharma
 
Google Cloud Platform Introduction - 2016Q3
Google Cloud Platform Introduction - 2016Q3Google Cloud Platform Introduction - 2016Q3
Google Cloud Platform Introduction - 2016Q3
Simon Su
 
Google Cloud Platform - Service Glossary
Google Cloud Platform - Service GlossaryGoogle Cloud Platform - Service Glossary
Google Cloud Platform - Service Glossary
Joseph's Cloud Library
 
Cloud computing overview & Technical intro to Google Cloud
Cloud computing overview & Technical intro to Google CloudCloud computing overview & Technical intro to Google Cloud
Cloud computing overview & Technical intro to Google Cloud
wesley chun
 
Getting started with GCP ( Google Cloud Platform)
Getting started with GCP ( Google Cloud Platform)Getting started with GCP ( Google Cloud Platform)
Getting started with GCP ( Google Cloud Platform)
bigdata trunk
 
Understanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud PlatformUnderstanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud Platform
Dr. Ketan Parmar
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
Simon Su
 
Build with all of Google Cloud
Build with all of Google CloudBuild with all of Google Cloud
Build with all of Google Cloud
wesley chun
 
Cloud Computing: Making the right choice
Cloud Computing: Making the right choiceCloud Computing: Making the right choice
Cloud Computing: Making the right choice
IndicThreads
 
Cloud & GCP 101
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101
Runcy Oommen
 
Gcp
GcpGcp
Gcp
HimanshuPise1
 
 Introduction google cloud platform
 Introduction google cloud platform Introduction google cloud platform
 Introduction google cloud platform
marwa Ayad Mohamed
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
Sujai Prakasam
 
Top Advantages of Using Google Cloud Platform
Top Advantages of Using Google Cloud PlatformTop Advantages of Using Google Cloud Platform
Top Advantages of Using Google Cloud Platform
Kinsta WordPress Hosting
 
Exploring Google (Cloud) APIs & Cloud Computing overview
Exploring Google (Cloud) APIs & Cloud Computing overviewExploring Google (Cloud) APIs & Cloud Computing overview
Exploring Google (Cloud) APIs & Cloud Computing overview
wesley chun
 
Google Cloud Platform 2014Q1 - Starter Guide
Google Cloud Platform 2014Q1 - Starter GuideGoogle Cloud Platform 2014Q1 - Starter Guide
Google Cloud Platform 2014Q1 - Starter Guide
Simon Su
 
Google Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a GlanceGoogle Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a Glance
Cloud Analogy
 
Google Cloud Platform Tutorial | GCP Fundamentals | Edureka
Google Cloud Platform Tutorial | GCP Fundamentals | EdurekaGoogle Cloud Platform Tutorial | GCP Fundamentals | Edureka
Google Cloud Platform Tutorial | GCP Fundamentals | Edureka
Edureka!
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
dhruv_chaudhari
 
Google Cloud Platform as a Backend Solution for your Product
Google Cloud Platform as a Backend Solution for your ProductGoogle Cloud Platform as a Backend Solution for your Product
Google Cloud Platform as a Backend Solution for your Product
Sergey Smetanin
 
A Complete Guide to the Google Cloud Platform
A Complete Guide to the Google Cloud PlatformA Complete Guide to the Google Cloud Platform
A Complete Guide to the Google Cloud Platform
BitMin Infosystems Pvt. Ltd
 
TIAD : Automate everything with Google Cloud
TIAD : Automate everything with Google CloudTIAD : Automate everything with Google Cloud
TIAD : Automate everything with Google Cloud
The Incredible Automation Day
 
Google Cloud Platform Data Storage
Google Cloud Platform Data StorageGoogle Cloud Platform Data Storage
Google Cloud Platform Data Storage
Joseph Holbrook, Chief Learning Officer (CLO)
 
Google cloud platform
Google cloud platformGoogle cloud platform
Google cloud platform
Piyumi Niwanthika Herath
 
CactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCP
Colin Estep
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api Gateway
Mike Becker
 

More Related Content

What's hot

Cloud Computing: Making the right choice
Cloud Computing: Making the right choiceCloud Computing: Making the right choice
Cloud Computing: Making the right choice
IndicThreads
 

What's hot (20)

Getting started with GCP ( Google Cloud Platform)
Getting started with GCP ( Google Cloud Platform)Getting started with GCP ( Google Cloud Platform)
Getting started with GCP ( Google Cloud Platform)
 
Understanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud PlatformUnderstanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud Platform
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
 
Build with all of Google Cloud
Build with all of Google CloudBuild with all of Google Cloud
Build with all of Google Cloud
 
Cloud Computing: Making the right choice
Cloud Computing: Making the right choiceCloud Computing: Making the right choice
Cloud Computing: Making the right choice
 
Cloud & GCP 101
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101
 
Gcp
GcpGcp
Gcp
 
 Introduction google cloud platform
 Introduction google cloud platform Introduction google cloud platform
 Introduction google cloud platform
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
 
Top Advantages of Using Google Cloud Platform
Top Advantages of Using Google Cloud PlatformTop Advantages of Using Google Cloud Platform
Top Advantages of Using Google Cloud Platform
 
Exploring Google (Cloud) APIs & Cloud Computing overview
Exploring Google (Cloud) APIs & Cloud Computing overviewExploring Google (Cloud) APIs & Cloud Computing overview
Exploring Google (Cloud) APIs & Cloud Computing overview
 
Google Cloud Platform 2014Q1 - Starter Guide
Google Cloud Platform 2014Q1 - Starter GuideGoogle Cloud Platform 2014Q1 - Starter Guide
Google Cloud Platform 2014Q1 - Starter Guide
 
Google Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a GlanceGoogle Cloud Platform (GCP) At a Glance
Google Cloud Platform (GCP) At a Glance
 
Google Cloud Platform Tutorial | GCP Fundamentals | Edureka
Google Cloud Platform Tutorial | GCP Fundamentals | EdurekaGoogle Cloud Platform Tutorial | GCP Fundamentals | Edureka
Google Cloud Platform Tutorial | GCP Fundamentals | Edureka
 
Introduction to Google Cloud Platform
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
 
Google Cloud Platform as a Backend Solution for your Product
Google Cloud Platform as a Backend Solution for your ProductGoogle Cloud Platform as a Backend Solution for your Product
Google Cloud Platform as a Backend Solution for your Product
 
A Complete Guide to the Google Cloud Platform
A Complete Guide to the Google Cloud PlatformA Complete Guide to the Google Cloud Platform
A Complete Guide to the Google Cloud Platform
 
TIAD : Automate everything with Google Cloud
TIAD : Automate everything with Google CloudTIAD : Automate everything with Google Cloud
TIAD : Automate everything with Google Cloud
 
Google Cloud Platform Data Storage
Google Cloud Platform Data StorageGoogle Cloud Platform Data Storage
Google Cloud Platform Data Storage
 
Google cloud platform
Google cloud platformGoogle cloud platform
Google cloud platform
 

Similar to Exploiting IAM in GCP

SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
Amazon Web Services
 
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
Puppet
 
Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
Bitnami
 
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
aspyker
 
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Xiaoman DONG
 

Similar to Exploiting IAM in GCP (20)

CactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCP
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api Gateway
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
 
Gcp intro-20160721
Gcp intro-20160721Gcp intro-20160721
Gcp intro-20160721
 
Andrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and ProfitAndrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and Profit
 
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
 
Google Cloud Container Security Quick Overview
Google Cloud Container Security Quick OverviewGoogle Cloud Container Security Quick Overview
Google Cloud Container Security Quick Overview
 
Serverless and Design Patterns In GCP
Serverless and Design Patterns In GCPServerless and Design Patterns In GCP
Serverless and Design Patterns In GCP
 
Session 4 GCCP.pptx
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptx
 
Introduction to GCP
Introduction to GCPIntroduction to GCP
Introduction to GCP
 
Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
 
Google auth dispelling the magic
Google auth dispelling the magicGoogle auth dispelling the magic
Google auth dispelling the magic
 
GCP-pde.pdf
GCP-pde.pdfGCP-pde.pdf
GCP-pde.pdf
 
Cloud native continuous delivery
Cloud native continuous deliveryCloud native continuous delivery
Cloud native continuous delivery
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud Private
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
 
GCCP-Session 2
GCCP-Session 2GCCP-Session 2
GCCP-Session 2
 
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
Kubernetes Clusters At Scale: Managing Hundreds Apache Pinot Kubernetes Clust...
 

Recently uploaded

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 

Recently uploaded (20)

Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 

Exploiting IAM in GCP

  • 2. Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
  • 3. My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 4. My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
  • 5. Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
  • 7.
  • 8. Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
  • 10. What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
  • 11.
  • 12. Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
  • 14. Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
  • 16. What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
  • 17. More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
  • 18. Default Service Account - Compute Engine Google advises against it:
  • 19. Compute Engine Service Account Role Contains a primitive role: ● Project Editor
  • 20. Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
  • 21. Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 22. Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 23. Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
  • 24. Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
  • 25. Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
  • 27. My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 28. My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
  • 29. My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
  • 30.
  • 31. Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
  • 32. 2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog