Netskope, profile picture
Uploaded byNetskope
PPTX, PDF676 views

Defcon 27 - Exploiting IAM in GCP

The document discusses exploiting identity and access management (IAM) in Google Cloud Platform (GCP). It begins with an introduction of the presenter and agenda. It then covers the key concepts of IAM in GCP, including role types, VPC service controls to control data flows, and access context manager. A deep dive on service accounts explains what they are, how bindings work, and the risk of impersonating service accounts. The demo illustrates a scenario where a stolen credential is used to impersonate a service account and access a storage bucket. Key takeaways recommend separating privileged service accounts, binding permissions at the account level, avoiding default accounts and primitive roles.

Embed presentation

Downloaded 25 times
Exploiting IAM in GCP
Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
IAM in GCP
Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
VPC Service Controls
What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
An Example Protecting: nsk-colin-child-bucket
Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
Service Account Deep Dive
What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
Default Service Account - Compute Engine Google advises against it:
Compute Engine Service Account Role Contains a primitive role: ● Project Editor
Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
GCP Demo
My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog

More Related Content

PPTX
Scaling Security in the Cloud With Open Source
byCloudVillage
 
PDF
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
PDF
MozDef Workshop slide
byCloudVillage
 
PDF
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
PDF
Phishing in the cloud era
byCloudVillage
 
PPTX
Of CORS thats a thing how CORS in the cloud still kills security
byJohn Varghese
 
PPTX
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
PPTX
AWS security - NULL meet chennai
byvinoth kumar
 
Scaling Security in the Cloud With Open Source
byCloudVillage
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
byCloudVillage
 
MozDef Workshop slide
byCloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
byCloudVillage
 
Phishing in the cloud era
byCloudVillage
 
Of CORS thats a thing how CORS in the cloud still kills security
byJohn Varghese
 
AWS Security
byMagdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
AWS security - NULL meet chennai
byvinoth kumar
 

What's hot

PDF
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
PPTX
Building A Cloud Security Strategy for Scale
byChris Farris
 
PDF
AWS Security
byarmincoralic
 
PDF
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
byJames Anderson
 
PDF
RightScale Webinar: Security and Compliance in the Cloud
byRightScale
 
PPTX
Four Scenarios for an Integration Service Environment (ISE)
byDaniel Toomey
 
Mining Malevolence: Cryptominers in the Cloud
byCloudVillage
 
Building A Cloud Security Strategy for Scale
byChris Farris
 
AWS Security
byarmincoralic
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
byJames Anderson
 
RightScale Webinar: Security and Compliance in the Cloud
byRightScale
 
Four Scenarios for an Integration Service Environment (ISE)
byDaniel Toomey
 

Similar to Defcon 27 - Exploiting IAM in GCP

PDF
CactusCon 2019: Exploiting IAM in GCP
byColin Estep
 
PDF
Google Cloud Security Engineer Exam Prep sheet.pdf
byssuser9d32e2
 
PPTX
gcpchapter1meetup-200301103601. google cloudpptx
byJatin541436
 
PPTX
Introduction to GCP presentation
byMohit Kachhwani
 
PPTX
IBM Cloud VPC Deep Dive
byNagesh Ramamoorthy
 
PDF
Cloud IAM 101.pdf
byLuillyfe Blanco
 
PDF
Google auth - dispelling the magic
byZaar Hai
 
PDF
Securing Content in the Cloud
byETCenter
 
PPTX
Google Cloud Platform AI Training in Hyderabad | Google Cloud AI Course Online
bysusheel visualpath
 
PDF
Google auth dispelling the magic
byZaar Hai
 
PDF
Hacking GCP For Fun by Agnibha Dutta.pdf
bynull - The Open Security Community
 
PPTX
GCCP Session.pptx
byIshwariKulkarni6
 
PPTX
ORACLE OCI - Identity and Access Management Service
byexposie1
 
PPTX
GCP IAM.pptx
byMohitBabbar6
 
PPTX
Research paper.pptx
byShibiApp
 
PPTX
Identity Management: Using OIDC to Empower the Next-Generation Apps
byTom Freestone
 
PDF
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
PPTX
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
byCloud Village
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
PDF
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
byJean-François LOMBARDO
 
CactusCon 2019: Exploiting IAM in GCP
byColin Estep
 
Google Cloud Security Engineer Exam Prep sheet.pdf
byssuser9d32e2
 
gcpchapter1meetup-200301103601. google cloudpptx
byJatin541436
 
Introduction to GCP presentation
byMohit Kachhwani
 
IBM Cloud VPC Deep Dive
byNagesh Ramamoorthy
 
Cloud IAM 101.pdf
byLuillyfe Blanco
 
Google auth - dispelling the magic
byZaar Hai
 
Securing Content in the Cloud
byETCenter
 
Google Cloud Platform AI Training in Hyderabad | Google Cloud AI Course Online
bysusheel visualpath
 
Google auth dispelling the magic
byZaar Hai
 
Hacking GCP For Fun by Agnibha Dutta.pdf
bynull - The Open Security Community
 
GCCP Session.pptx
byIshwariKulkarni6
 
ORACLE OCI - Identity and Access Management Service
byexposie1
 
GCP IAM.pptx
byMohitBabbar6
 
Research paper.pptx
byShibiApp
 
Identity Management: Using OIDC to Empower the Next-Generation Apps
byTom Freestone
 
DevSecCon London 2019: Workshop: Cloud Agnostic Security Testing with Scout S...
byDevSecCon
 
One Click, Six Services - Abusing The Dangerous Multi-service Orchestration P...
byCloud Village
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
byJean-François LOMBARDO
 

More from Netskope

PPTX
Netskope Threat Labs: Cloud As an Attack Vector
byNetskope
 
PDF
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
byNetskope
 
PDF
MalCon Future of Security
byNetskope
 
PDF
Phishing in the Cloud Era (BSides)
byNetskope
 
PPTX
DEF CON 27 - Exploiting AWS Loopholes
byNetskope
 
PPTX
Defcon 27 - The Future of Command and Control
byNetskope
 
PPTX
Defcon 27 - Phishing in the Cloud Era
byNetskope
 
PPTX
The Definitive CASB Business Case Kit - Presentation
byNetskope
 
PDF
June 2016 EMEA Netskope Cloud Report
byNetskope
 
PDF
June 2016 Worldwide Netskope Cloud Report
byNetskope
 
PPTX
5 Highest-Impact CASB Use Cases - Office 365
byNetskope
 
PPTX
5 Highest-Impact CASB Use Cases
byNetskope
 
PPTX
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
byNetskope
 
PPTX
Quantifying Cloud Risk for Your Corporate Leadership
byNetskope
 
PPTX
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
byNetskope
 
PDF
Autumn 2015 EMEA Netskope Cloud Report
byNetskope
 
PDF
Fall 2015 Worldwide Netskope Cloud Report
byNetskope
 
PPTX
Cloud Security for Dummies Webinar — The Identity Edition
byNetskope
 
PPTX
Reference Architecture for Data Loss Prevention in the Cloud
byNetskope
 
PPTX
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
byNetskope
 
Netskope Threat Labs: Cloud As an Attack Vector
byNetskope
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
byNetskope
 
MalCon Future of Security
byNetskope
 
Phishing in the Cloud Era (BSides)
byNetskope
 
DEF CON 27 - Exploiting AWS Loopholes
byNetskope
 
Defcon 27 - The Future of Command and Control
byNetskope
 
Defcon 27 - Phishing in the Cloud Era
byNetskope
 
The Definitive CASB Business Case Kit - Presentation
byNetskope
 
June 2016 EMEA Netskope Cloud Report
byNetskope
 
June 2016 Worldwide Netskope Cloud Report
byNetskope
 
5 Highest-Impact CASB Use Cases - Office 365
byNetskope
 
5 Highest-Impact CASB Use Cases
byNetskope
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
byNetskope
 
Quantifying Cloud Risk for Your Corporate Leadership
byNetskope
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
byNetskope
 
Autumn 2015 EMEA Netskope Cloud Report
byNetskope
 
Fall 2015 Worldwide Netskope Cloud Report
byNetskope
 
Cloud Security for Dummies Webinar — The Identity Edition
byNetskope
 
Reference Architecture for Data Loss Prevention in the Cloud
byNetskope
 
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
byNetskope
 

Recently uploaded

PDF
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
PDF
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
PDF
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
Cross-Cultural Agile Development -Challenges and Strategies for Overcoming Them-
byTakashi Makino
 
Fundamentals and Frontiers of Post Quantum Cryptography
byGokul Alex
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
How to Evaluate a High Performance Database
byScyllaDB
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Data Virtualization in Action: Scaling APIs and Apps with FME
bySafe Software
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Building Agents in Microsoft Agent Framework.pptx
byUdaiappa Ramachandran
 
Is It Possible to Have Wi-Fi Without an Internet Provider
bySidra Jefferi
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
WCAG Analyzer Tools and Techniques for User-Friendly Websites
byAccessibility Analyzer
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 

Defcon 27 - Exploiting IAM in GCP

  • 1.
  • 2.
    Who am I? ●Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
  • 3.
    My Organization colin-demo-project What’s theStory... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 4.
    My Organization End Condition colin-child-project nsk-colin-child-bucket CloudStorage colin-demo-project instance-1 Compute Engine
  • 5.
    Agenda ● IAM inGCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
  • 6.
  • 8.
    Types of Roles ●Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
  • 9.
  • 10.
    What are VPCService Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
  • 12.
    Access Context Manager ●Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
  • 13.
  • 14.
    Combining the Controls ●Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
  • 15.
  • 16.
    What is aService Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
  • 17.
    More about ServiceAccounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
  • 18.
    Default Service Account- Compute Engine Google advises against it:
  • 19.
    Compute Engine ServiceAccount Role Contains a primitive role: ● Project Editor
  • 20.
    Service Account Impersonation ProjectEditor Permissions (1894 in total) VPC Service Controls
  • 21.
    Binding at theProject level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 22.
    Binding at theService Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 23.
    Permissions for Impersonatinga Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
  • 24.
    Why Service AccountImpersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
  • 25.
    Access Scopes forVirtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
  • 26.
  • 27.
    My Organization colin-demo-project Our Scenarioagain... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 28.
    My Organization IAM Flow colin-demo-project Stolen credential instance-1 ComputeEngine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
  • 29.
    My Organization End Condition colin-child-project nsk-colin-child-bucket CloudStorage colin-demo-project instance-1 Compute Engine
  • 31.
    Key Takeaways ● KeepService Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
  • 32.
    2019 © NetskopeConfidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog