Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid

C
CloudVillage
Exploiting IAM in GCP
Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
IAM in GCP
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
VPC Service Controls
What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid
Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
An Example Protecting: nsk-colin-child-bucket
Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
Service Account Deep Dive
What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
Default Service Account - Compute Engine Google advises against it:
Compute Engine Service Account Role Contains a primitive role: ● Project Editor
Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
GCP Demo
My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Demo
Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog
1 of 32

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid

Download to read offline
Technology

"Cloud infrastructure design is complex and makes even the most straight-forward topics, such as Identity and Access Management (IAM), non-trivial and confusing and therefore, full of security risk. While AWS IAM provides for access via console and API/CLI using access keys, there is also a temporary security tokens feature, designed for secure temporary access. However, temporary tokens have multiple security pot-holes that can lead to exploits. I'll explore the limitations of temporary tokens including: - the lack of visibility/management - minimal logging - limited remediation options and how this can be taken advantage of, especially in combination with other techniques such as assuming of roles, pre-signed URLs, log attacks, and serverless functions to achieve persistence, lateral movement, and obfuscation. In addition, I’ll look at common defensive techniques and best practices around lockdown, provisioning, logging and alerting to see whether these are practical and can shift the field."

C
CloudVillage

Recommended

Introduction to GCP presentation by
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentationMohit Kachhwani
6.9K views19 slides
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021 by
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021
복잡한 권한신청문제 ConsoleMe로 해결하기 - 손건 (AB180) :: AWS Community Day Online 2021AWSKRUG - AWS한국사용자모임
783 views62 slides
Introduction to Kubernetes and Google Container Engine (GKE) by
Introduction to Kubernetes and Google Container Engine (GKE)Introduction to Kubernetes and Google Container Engine (GKE)
Introduction to Kubernetes and Google Container Engine (GKE)Opsta
2.7K views37 slides
Aws Architecture Fundamentals by
Aws Architecture FundamentalsAws Architecture Fundamentals
Aws Architecture Fundamentals2nd Watch
4.5K views80 slides
Introduction to kubernetes by
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetesRishabh Indoria
12.8K views146 slides
GCP IAM.pptx by
GCP IAM.pptxGCP IAM.pptx
GCP IAM.pptxMohitBabbar6
87 views6 slides

More Related Content

What's hot

Nomad + Flatcar: a harmonious marriage of lightweights by
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsIago López Galeiras
326 views28 slides
Ansible - Hands on Training by
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on TrainingMehmet Ali Aydın
5.8K views116 slides
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training by
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingSimon Su
2.2K views66 slides
Introduction to Google Cloud Services / Platforms by
Introduction to Google Cloud Services / PlatformsIntroduction to Google Cloud Services / Platforms
Introduction to Google Cloud Services / PlatformsNilanchal
1.5K views24 slides
Terraform by
TerraformTerraform
TerraformPhil Wilkins
1.1K views34 slides
How to use IAM roles grant access to AWS by
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWSAmazon Web Services
2.3K views34 slides

What's hot(20)

Nomad + Flatcar: a harmonious marriage of lightweights by Iago López Galeiras
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras326 views
Ansible - Hands on Training by Mehmet Ali Aydın
Ansible - Hands on TrainingAnsible - Hands on Training
Ansible - Hands on Training
Mehmet Ali Aydın5.8K views
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training by Simon Su
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
Simon Su2.2K views
Introduction to Google Cloud Services / Platforms by Nilanchal
Introduction to Google Cloud Services / PlatformsIntroduction to Google Cloud Services / Platforms
Introduction to Google Cloud Services / Platforms
Nilanchal 1.5K views
Terraform by Phil Wilkins
TerraformTerraform
Terraform
Phil Wilkins1.1K views
How to use IAM roles grant access to AWS by Amazon Web Services
How to use IAM roles grant access to AWSHow to use IAM roles grant access to AWS
How to use IAM roles grant access to AWS
Amazon Web Services2.3K views
Introduction to Amazon EC2 by Amazon Web Services
Introduction to Amazon EC2Introduction to Amazon EC2
Introduction to Amazon EC2
Amazon Web Services8.3K views
Introduction to Serverless by Amazon Web Services
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
Amazon Web Services2.7K views
Terraform by Pathum Fernando ☁
TerraformTerraform
Terraform
Pathum Fernando ☁3.8K views
AWS 환경에서 Dell Technologies 데이터 보호 솔루션을 활용한 데이터 보호 방안 - 정진환 이사, Dell EMC :: AW... by Amazon Web Services Korea
AWS 환경에서 Dell Technologies 데이터 보호 솔루션을 활용한 데이터 보호 방안 - 정진환 이사, Dell EMC :: AW...AWS 환경에서 Dell Technologies 데이터 보호 솔루션을 활용한 데이터 보호 방안 - 정진환 이사, Dell EMC :: AW...
AWS 환경에서 Dell Technologies 데이터 보호 솔루션을 활용한 데이터 보호 방안 - 정진환 이사, Dell EMC :: AW...
Amazon Web Services Korea570 views
Cloud Migration: Moving to the Cloud by Dr.-Ing. Michael Menzel
Cloud Migration: Moving to the CloudCloud Migration: Moving to the Cloud
Cloud Migration: Moving to the Cloud
Dr.-Ing. Michael Menzel10.7K views
Google Cloud Platform by Francesco Marchitelli
Google Cloud Platform Google Cloud Platform
Google Cloud Platform
Francesco Marchitelli23.2K views
Serverless and Design Patterns In GCP by Oliver Fierro
Serverless and Design Patterns In GCPServerless and Design Patterns In GCP
Serverless and Design Patterns In GCP
Oliver Fierro166 views
Aws VPC by Abhishek Amralkar
Aws VPCAws VPC
Aws VPC
Abhishek Amralkar1.5K views
Introduction to Google Cloud Platform by Sujai Prakasam
Introduction to Google Cloud PlatformIntroduction to Google Cloud Platform
Introduction to Google Cloud Platform
Sujai Prakasam5.4K views
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin... by Vietnam Open Infrastructure User Group
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Vietnam Open Infrastructure User Group357 views
Understanding cloud with Google Cloud Platform by Dr. Ketan Parmar
Understanding cloud with Google Cloud PlatformUnderstanding cloud with Google Cloud Platform
Understanding cloud with Google Cloud Platform
Dr. Ketan Parmar8.4K views
A brief introduction to IaC with Terraform by Kenton Robbins (codeHarbour May... by Alex Cachia
A brief introduction to IaC with Terraform by Kenton Robbins (codeHarbour May...A brief introduction to IaC with Terraform by Kenton Robbins (codeHarbour May...
A brief introduction to IaC with Terraform by Kenton Robbins (codeHarbour May...
Alex Cachia353 views
Using Google Compute Engine by Lynn Langit
Using Google Compute EngineUsing Google Compute Engine
Using Google Compute Engine
Lynn Langit4.9K views
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft... by Amazon Web Services
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
Using HashiCorp’s Terraform to build your infrastructure on AWS - Pop-up Loft...
Amazon Web Services10.4K views

Similar to Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid

CactusCon 2019: Exploiting IAM in GCP by
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCPColin Estep
433 views31 slides
Lamdba micro service using Amazon Api Gateway by
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayMike Becker
1.2K views32 slides
SRV315 Building Enterprise-Grade Serverless Apps by
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless AppsAmazon Web Services
1K views68 slides
Gcp intro-20160721 by
Gcp intro-20160721Gcp intro-20160721
Gcp intro-20160721Haeseung Lee
1.3K views83 slides
Andrew May - Getting Certified for Fun and Profit by
Andrew May - Getting Certified for Fun and ProfitAndrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and ProfitAWS Chicago
105 views60 slides
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-... by
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...Puppet
1.2K views56 slides

Similar to Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid(20)

CactusCon 2019: Exploiting IAM in GCP by Colin Estep
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCP
Colin Estep433 views
Lamdba micro service using Amazon Api Gateway by Mike Becker
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api Gateway
Mike Becker1.2K views
SRV315 Building Enterprise-Grade Serverless Apps by Amazon Web Services
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
Amazon Web Services1K views
Gcp intro-20160721 by Haeseung Lee
Gcp intro-20160721Gcp intro-20160721
Gcp intro-20160721
Haeseung Lee1.3K views
Andrew May - Getting Certified for Fun and Profit by AWS Chicago
Andrew May - Getting Certified for Fun and ProfitAndrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and Profit
AWS Chicago105 views
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-... by Puppet
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
Puppet1.2K views
Google Cloud Container Security Quick Overview by Krishna-Kumar
Google Cloud Container Security Quick OverviewGoogle Cloud Container Security Quick Overview
Google Cloud Container Security Quick Overview
Krishna-Kumar 453 views
Session 4 GCCP.pptx by DSCIITPatna
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptx
DSCIITPatna44 views
Introduction to GCP by Knoldus Inc.
Introduction to GCPIntroduction to GCP
Introduction to GCP
Knoldus Inc.147 views
Going Serverless with Kubeless In Google Container Engine (GKE) by Bitnami
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
Bitnami1.1K views
Google auth dispelling the magic by Zaar Hai
Google auth dispelling the magicGoogle auth dispelling the magic
Google auth dispelling the magic
Zaar Hai24 views
GCP-pde.pdf by NirajKumar938204
GCP-pde.pdfGCP-pde.pdf
GCP-pde.pdf
NirajKumar938204181 views
Cloud native continuous delivery by Sami Alajrami
Cloud native continuous deliveryCloud native continuous delivery
Cloud native continuous delivery
Sami Alajrami110 views
Accelerate Digital Transformation with IBM Cloud Private by Michael Elder
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud Private
Michael Elder6.1K views
DevOps, Microservices and Serverless Architecture by Mikhail Prudnikov
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
Mikhail Prudnikov720 views
GCCP-Session 2 by GDSCIIITDHARWAD
GCCP-Session 2GCCP-Session 2
GCCP-Session 2
GDSCIIITDHARWAD21 views
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons by aspyker
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
aspyker1.2K views
Aws organizations by Olaf Conijn
Aws organizationsAws organizations
Aws organizations
Olaf Conijn443 views
Azure Functions in Action #CodePaLOUsa by Baskar rao Dsn
Azure Functions in Action #CodePaLOUsaAzure Functions in Action #CodePaLOUsa
Azure Functions in Action #CodePaLOUsa
Baskar rao Dsn93 views
Exploring Cloud Computing with Amazon Web Services (AWS) by Kalema Edgar
Exploring Cloud Computing with Amazon Web Services (AWS)Exploring Cloud Computing with Amazon Web Services (AWS)
Exploring Cloud Computing with Amazon Web Services (AWS)
Kalema Edgar233 views

More from CloudVillage

Build to Hack, Hack to Build by
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to BuildCloudVillage
4.6K views46 slides
Phishing in the cloud era by
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud eraCloudVillage
4.4K views33 slides
Mining Malevolence: Cryptominers in the Cloud by
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudCloudVillage
4.1K views40 slides
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture by
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureCloudVillage
5.5K views41 slides
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti... by
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
6.2K views25 slides
Battle in the Clouds - Attacker vs Defender on AWS by
Battle in the Clouds - Attacker vs Defender on AWSBattle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWSCloudVillage
4.2K views28 slides

More from CloudVillage(11)

Build to Hack, Hack to Build by CloudVillage
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
CloudVillage4.6K views
Phishing in the cloud era by CloudVillage
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage4.4K views
Mining Malevolence: Cryptominers in the Cloud by CloudVillage
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage4.1K views
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture by CloudVillage
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage5.5K views
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti... by CloudVillage
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage6.2K views
Battle in the Clouds - Attacker vs Defender on AWS by CloudVillage
Battle in the Clouds - Attacker vs Defender on AWSBattle in the Clouds - Attacker vs Defender on AWS
Battle in the Clouds - Attacker vs Defender on AWS
CloudVillage4.2K views
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud by CloudVillage
Your Blacklist is Dead: Why the Future of Command and Control is the CloudYour Blacklist is Dead: Why the Future of Command and Control is the Cloud
Your Blacklist is Dead: Why the Future of Command and Control is the Cloud
CloudVillage4.2K views
Scaling Security in the Cloud With Open Source by CloudVillage
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
CloudVillage4.1K views
Pragmatic Cloud Security Automation by CloudVillage
Pragmatic Cloud Security AutomationPragmatic Cloud Security Automation
Pragmatic Cloud Security Automation
CloudVillage4.3K views
MozDef Workshop slide by CloudVillage
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
CloudVillage4.3K views
Keynote - Cloudy Vision: How Cloud Integration Complicates Security by CloudVillage
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage4.4K views

Recently uploaded

GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
126 views32 slides
PRODUCT PRESENTATION.pptx by
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptxangelicacueva6
18 views1 slide
The Forbidden VPN Secrets.pdf by
The Forbidden VPN Secrets.pdfThe Forbidden VPN Secrets.pdf
The Forbidden VPN Secrets.pdfMariam Shaba
20 views72 slides
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors by
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensorssugiuralab
23 views15 slides
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...The Digital Insurer
24 views52 slides
Unit 1_Lecture 2_Physical Design of IoT.pdf by
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdfStephenTec
15 views36 slides

Recently uploaded(20)

GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson126 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva618 views
The Forbidden VPN Secrets.pdf by Mariam Shaba
The Forbidden VPN Secrets.pdfThe Forbidden VPN Secrets.pdf
The Forbidden VPN Secrets.pdf
Mariam Shaba20 views
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors by sugiuralab
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective SensorsTouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
TouchLog: Finger Micro Gesture Recognition Using Photo-Reflective Sensors
sugiuralab23 views
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading... by The Digital Insurer
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
Webinar : Desperately Seeking Transformation - Part 2: Insights from leading...
The Digital Insurer24 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec15 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil418 views
MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14137 views
SUPPLIER SOURCING.pptx by angelicacueva6
SUPPLIER SOURCING.pptxSUPPLIER SOURCING.pptx
SUPPLIER SOURCING.pptx
angelicacueva620 views
Uni Systems for Power Platform.pptx by Uni Systems S.M.S.A.
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptx
Uni Systems S.M.S.A.58 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum43 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH45 views
PharoJS - Zürich Smalltalk Group Meetup November 2023 by Noury Bouraqadi
PharoJS - Zürich Smalltalk Group Meetup November 2023PharoJS - Zürich Smalltalk Group Meetup November 2023
PharoJS - Zürich Smalltalk Group Meetup November 2023
Noury Bouraqadi139 views
Future of Indian ConsumerTech by Kapil Khandelwal (KK)
Future of Indian ConsumerTechFuture of Indian ConsumerTech
Future of Indian ConsumerTech
Kapil Khandelwal (KK)24 views
"Surviving highload with Node.js", Andrii Shumada by Fwdays
"Surviving highload with Node.js", Andrii Shumada "Surviving highload with Node.js", Andrii Shumada
"Surviving highload with Node.js", Andrii Shumada
Fwdays33 views
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe by Simone Puorto
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
2024: A Travel Odyssey The Role of Generative AI in the Tourism Universe
Simone Puorto13 views
Piloting & Scaling Successfully With Microsoft Viva by Richard Harbridge
Piloting & Scaling Successfully With Microsoft VivaPiloting & Scaling Successfully With Microsoft Viva
Piloting & Scaling Successfully With Microsoft Viva
Richard Harbridge13 views
Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica415 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty22 views
"Running students' code in isolation. The hard way", Yurii Holiuk by Fwdays
"Running students' code in isolation. The hard way", Yurii Holiuk "Running students' code in isolation. The hard way", Yurii Holiuk
"Running students' code in isolation. The hard way", Yurii Holiuk
Fwdays24 views

Exploiting IAM in the google cloud platform - dani_goland_mohsan_farid

  • 2. Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
  • 3. My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 4. My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
  • 5. Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
  • 8. Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
  • 10. What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
  • 12. Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
  • 14. Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
  • 16. What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
  • 17. More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
  • 18. Default Service Account - Compute Engine Google advises against it:
  • 19. Compute Engine Service Account Role Contains a primitive role: ● Project Editor
  • 20. Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
  • 21. Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 22. Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 23. Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
  • 24. Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
  • 25. Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
  • 27. My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 28. My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
  • 29. My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
  • 30. Demo
  • 31. Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
  • 32. 2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog