SlideShare a Scribd company logo

Defcon 27 - Exploiting IAM in GCP

Download as PPTX, PDF
Netskope
Netskope

The document discusses exploiting identity and access management (IAM) in Google Cloud Platform (GCP). It begins with an introduction of the presenter and agenda. It then covers the key concepts of IAM in GCP, including role types, VPC service controls to control data flows, and access context manager. A deep dive on service accounts explains what they are, how bindings work, and the risk of impersonating service accounts. The demo illustrates a scenario where a stolen credential is used to impersonate a service account and access a storage bucket. Key takeaways recommend separating privileged service accounts, binding permissions at the account level, avoiding default accounts and primitive roles.

Technology
1 of 32
Exploiting IAM in GCP
Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
IAM in GCP
Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
VPC Service Controls
What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
An Example Protecting: nsk-colin-child-bucket
Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
Service Account Deep Dive
What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
Default Service Account - Compute Engine Google advises against it:
Compute Engine Service Account Role Contains a primitive role: ● Project Editor
Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
GCP Demo
My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog

Recommended

Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
CloudVillage
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
CloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage
 
AWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoT
Amazon Web Services
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...
AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...
AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...
Amazon Web Services
 
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
Amazon Web Services
 

Recommended

Scaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open SourceScaling Security in the Cloud With Open Source
Scaling Security in the Cloud With Open Source
CloudVillage
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage
 
MozDef Workshop slide
MozDef Workshop slideMozDef Workshop slide
MozDef Workshop slide
CloudVillage
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
CloudVillage
 
AWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoTAWS Enterprise Summit Netherlands - AWS IoT
AWS Enterprise Summit Netherlands - AWS IoT
Amazon Web Services
 
Phishing in the cloud era
Phishing in the cloud eraPhishing in the cloud era
Phishing in the cloud era
CloudVillage
 
AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...
AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...
AWS re:Invent 2016: No More Ransomware: How Europol, the Dutch Police, and AW...
Amazon Web Services
 
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
AWS re:Invent 2016: Blockchain on AWS: Disrupting the Norm (GPST301)
Amazon Web Services
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
AWS Security
AWS Security AWS Security
AWS Security
Magdy El-Faramawy , MBA,PMP,CISA,CM,ITIL
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennai
vinoth kumar
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Amazon Web Services
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
Amazon Web Services
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
Chris Farris
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 
AWS Security
AWS SecurityAWS Security
AWS Security
armincoralic
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
James Anderson
 
Breakout Session Devops at Amazon with Scania
Breakout Session Devops at Amazon with ScaniaBreakout Session Devops at Amazon with Scania
Breakout Session Devops at Amazon with Scania
Amazon Web Services
 
Log Analytics with Wyng
Log Analytics with WyngLog Analytics with Wyng
Log Analytics with Wyng
Amazon Web Services
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
Amazon Web Services
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Amazon Web Services
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
Amazon Web Services
 
Distributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect MarriageDistributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect Marriage
Amazon Web Services
 
From Monolith to Microservices - Containerized Microservices on AWS - April 2...
From Monolith to Microservices - Containerized Microservices on AWS - April 2...From Monolith to Microservices - Containerized Microservices on AWS - April 2...
From Monolith to Microservices - Containerized Microservices on AWS - April 2...
Amazon Web Services
 
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Amazon Web Services
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)
Daniel Toomey
 
CactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCP
Colin Estep
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api Gateway
Mike Becker
 

More Related Content

What's hot

Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennai
vinoth kumar
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
Amazon Web Services
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
CloudVillage
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
Amazon Web Services
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
Chris Farris
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 
AWS Security
AWS SecurityAWS Security
AWS Security
armincoralic
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
James Anderson
 
Breakout Session Devops at Amazon with Scania
Breakout Session Devops at Amazon with ScaniaBreakout Session Devops at Amazon with Scania
Breakout Session Devops at Amazon with Scania
Amazon Web Services
 
Log Analytics with Wyng
Log Analytics with WyngLog Analytics with Wyng
Log Analytics with Wyng
Amazon Web Services
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
Amazon Web Services
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Amazon Web Services
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
Amazon Web Services
 
Distributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect MarriageDistributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect Marriage
Amazon Web Services
 
From Monolith to Microservices - Containerized Microservices on AWS - April 2...
From Monolith to Microservices - Containerized Microservices on AWS - April 2...From Monolith to Microservices - Containerized Microservices on AWS - April 2...
From Monolith to Microservices - Containerized Microservices on AWS - April 2...
Amazon Web Services
 
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Amazon Web Services
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
RightScale
 
Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)
Daniel Toomey
 

What's hot (20)

Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
 
AWS Security
AWS Security AWS Security
AWS Security
 
AWS security - NULL meet chennai
AWS security - NULL meet chennaiAWS security - NULL meet chennai
AWS security - NULL meet chennai
 
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
(MBL402) Mobile Identity Management & Data Sync Using Amazon Cognito
 
Mining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the CloudMining Malevolence: Cryptominers in the Cloud
Mining Malevolence: Cryptominers in the Cloud
 
(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS(SEC301) Strategies for Protecting Data Using Encryption in AWS
(SEC301) Strategies for Protecting Data Using Encryption in AWS
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 
AWS Security
AWS SecurityAWS Security
AWS Security
 
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud BoundariesGDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
GDG Cloud Southlake #9 Secure Cloud Networking - Beyond Cloud Boundaries
 
Breakout Session Devops at Amazon with Scania
Breakout Session Devops at Amazon with ScaniaBreakout Session Devops at Amazon with Scania
Breakout Session Devops at Amazon with Scania
 
Log Analytics with Wyng
Log Analytics with WyngLog Analytics with Wyng
Log Analytics with Wyng
 
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0(SEC402) Enterprise Cloud Security via DevSecOps 2.0
(SEC402) Enterprise Cloud Security via DevSecOps 2.0
 
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
Security Assurance and Governance in AWS (SEC203) | AWS re:Invent 2013
 
Getting Started with AWS IoT
Getting Started with AWS IoTGetting Started with AWS IoT
Getting Started with AWS IoT
 
Distributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect MarriageDistributing Ledger on Cloud: The Perfect Marriage
Distributing Ledger on Cloud: The Perfect Marriage
 
From Monolith to Microservices - Containerized Microservices on AWS - April 2...
From Monolith to Microservices - Containerized Microservices on AWS - April 2...From Monolith to Microservices - Containerized Microservices on AWS - April 2...
From Monolith to Microservices - Containerized Microservices on AWS - April 2...
 
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
Creating Your Virtual Data Center: Amazon VPC Fundamentals and Connectivity O...
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)Four Scenarios for an Integration Service Environment (ISE)
Four Scenarios for an Integration Service Environment (ISE)
 

Similar to Defcon 27 - Exploiting IAM in GCP

CactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCP
Colin Estep
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api Gateway
Mike Becker
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
Amazon Web Services
 
Gcp intro-20160721
Gcp intro-20160721Gcp intro-20160721
Gcp intro-20160721
Haeseung Lee
 
Andrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and ProfitAndrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and Profit
AWS Chicago
 
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
Puppet
 
Google Cloud Container Security Quick Overview
Google Cloud Container Security Quick OverviewGoogle Cloud Container Security Quick Overview
Google Cloud Container Security Quick Overview
Krishna-Kumar
 
Serverless and Design Patterns In GCP
Serverless and Design Patterns In GCPServerless and Design Patterns In GCP
Serverless and Design Patterns In GCP
Oliver Fierro
 
Session 4 GCCP.pptx
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptx
DSCIITPatna
 
Introduction to GCP
Introduction to GCPIntroduction to GCP
Introduction to GCP
Knoldus Inc.
 
Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
Bitnami
 
Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
Mohit Kachhwani
 
Google auth dispelling the magic
Google auth dispelling the magicGoogle auth dispelling the magic
Google auth dispelling the magic
Zaar Hai
 
GCP-pde.pdf
GCP-pde.pdfGCP-pde.pdf
GCP-pde.pdf
NirajKumar938204
 
Cloud native continuous delivery
Cloud native continuous deliveryCloud native continuous delivery
Cloud native continuous delivery
Sami Alajrami
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud Private
Michael Elder
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
Mikhail Prudnikov
 
GCCP-Session 2
GCCP-Session 2GCCP-Session 2
GCCP-Session 2
GDSCIIITDHARWAD
 
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
aspyker
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
Olaf Conijn
 

Similar to Defcon 27 - Exploiting IAM in GCP (20)

CactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCPCactusCon 2019: Exploiting IAM in GCP
CactusCon 2019: Exploiting IAM in GCP
 
Lamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api GatewayLamdba micro service using Amazon Api Gateway
Lamdba micro service using Amazon Api Gateway
 
SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps SRV315 Building Enterprise-Grade Serverless Apps
SRV315 Building Enterprise-Grade Serverless Apps
 
Gcp intro-20160721
Gcp intro-20160721Gcp intro-20160721
Gcp intro-20160721
 
Andrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and ProfitAndrew May - Getting Certified for Fun and Profit
Andrew May - Getting Certified for Fun and Profit
 
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
PuppetConf 2017: Kubernetes in the Cloud w/ Puppet + Google Container Engine-...
 
Google Cloud Container Security Quick Overview
Google Cloud Container Security Quick OverviewGoogle Cloud Container Security Quick Overview
Google Cloud Container Security Quick Overview
 
Serverless and Design Patterns In GCP
Serverless and Design Patterns In GCPServerless and Design Patterns In GCP
Serverless and Design Patterns In GCP
 
Session 4 GCCP.pptx
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptx
 
Introduction to GCP
Introduction to GCPIntroduction to GCP
Introduction to GCP
 
Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)Going Serverless with Kubeless In Google Container Engine (GKE)
Going Serverless with Kubeless In Google Container Engine (GKE)
 
Introduction to GCP presentation
Introduction to GCP presentationIntroduction to GCP presentation
Introduction to GCP presentation
 
Google auth dispelling the magic
Google auth dispelling the magicGoogle auth dispelling the magic
Google auth dispelling the magic
 
GCP-pde.pdf
GCP-pde.pdfGCP-pde.pdf
GCP-pde.pdf
 
Cloud native continuous delivery
Cloud native continuous deliveryCloud native continuous delivery
Cloud native continuous delivery
 
Accelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud PrivateAccelerate Digital Transformation with IBM Cloud Private
Accelerate Digital Transformation with IBM Cloud Private
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
 
GCCP-Session 2
GCCP-Session 2GCCP-Session 2
GCCP-Session 2
 
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and DaemonsQConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
QConSF18 - Disenchantment: Netflix Titus, its Feisty Team, and Daemons
 
Aws organizations
Aws organizationsAws organizations
Aws organizations
 

More from Netskope

Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack Vector
Netskope
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Netskope
 
MalCon Future of Security
MalCon Future of SecurityMalCon Future of Security
MalCon Future of Security
Netskope
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
Netskope
 
DEF CON 27 - Exploiting AWS Loopholes
DEF CON 27 - Exploiting AWS LoopholesDEF CON 27 - Exploiting AWS Loopholes
DEF CON 27 - Exploiting AWS Loopholes
Netskope
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and Control
Netskope
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud Era
Netskope
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - Presentation
Netskope
 
June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report
Netskope
 
June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report
Netskope
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
Netskope
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
Netskope
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Netskope
 
Quantifying Cloud Risk for Your Corporate Leadership
Quantifying Cloud Risk for Your Corporate LeadershipQuantifying Cloud Risk for Your Corporate Leadership
Quantifying Cloud Risk for Your Corporate Leadership
Netskope
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Netskope
 
Autumn 2015 EMEA Netskope Cloud Report
Autumn 2015 EMEA Netskope Cloud ReportAutumn 2015 EMEA Netskope Cloud Report
Autumn 2015 EMEA Netskope Cloud Report
Netskope
 
Fall 2015 Worldwide Netskope Cloud Report
Fall 2015 Worldwide Netskope Cloud Report Fall 2015 Worldwide Netskope Cloud Report
Fall 2015 Worldwide Netskope Cloud Report
Netskope
 
Cloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity EditionCloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity Edition
Netskope
 
Reference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudReference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the Cloud
Netskope
 
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Netskope
 

More from Netskope (20)

Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack Vector
 
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
Why Everyone Needs a Cloud-First Security Program - SASEfaction Guaranteed!
 
MalCon Future of Security
MalCon Future of SecurityMalCon Future of Security
MalCon Future of Security
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
 
DEF CON 27 - Exploiting AWS Loopholes
DEF CON 27 - Exploiting AWS LoopholesDEF CON 27 - Exploiting AWS Loopholes
DEF CON 27 - Exploiting AWS Loopholes
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and Control
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud Era
 
The Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - PresentationThe Definitive CASB Business Case Kit - Presentation
The Definitive CASB Business Case Kit - Presentation
 
June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report June 2016 EMEA Netskope Cloud Report
June 2016 EMEA Netskope Cloud Report
 
June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report June 2016 Worldwide Netskope Cloud Report
June 2016 Worldwide Netskope Cloud Report
 
5 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 3655 Highest-Impact CASB Use Cases - Office 365
5 Highest-Impact CASB Use Cases - Office 365
 
5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases5 Highest-Impact CASB Use Cases
5 Highest-Impact CASB Use Cases
 
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the CloudCure for the Common Cloud: How Healthcare can Safely Enable the Cloud
Cure for the Common Cloud: How Healthcare can Safely Enable the Cloud
 
Quantifying Cloud Risk for Your Corporate Leadership
Quantifying Cloud Risk for Your Corporate LeadershipQuantifying Cloud Risk for Your Corporate Leadership
Quantifying Cloud Risk for Your Corporate Leadership
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
 
Autumn 2015 EMEA Netskope Cloud Report
Autumn 2015 EMEA Netskope Cloud ReportAutumn 2015 EMEA Netskope Cloud Report
Autumn 2015 EMEA Netskope Cloud Report
 
Fall 2015 Worldwide Netskope Cloud Report
Fall 2015 Worldwide Netskope Cloud Report Fall 2015 Worldwide Netskope Cloud Report
Fall 2015 Worldwide Netskope Cloud Report
 
Cloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity EditionCloud Security for Dummies Webinar — The Identity Edition
Cloud Security for Dummies Webinar — The Identity Edition
 
Reference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the CloudReference Architecture for Data Loss Prevention in the Cloud
Reference Architecture for Data Loss Prevention in the Cloud
 
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...Office 365 in Focus. Security and Governance Strategies from the Experts - We...
Office 365 in Focus. Security and Governance Strategies from the Experts - We...
 

Recently uploaded

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
Fwdays
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 

Recently uploaded (20)

Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 

Defcon 27 - Exploiting IAM in GCP

  • 2. Who am I? ● Formerly Security @ Apple, Netflix ● Startup experience: built cloud security software ● Currently Research @ Netskope ● Focused on AWS, GCP
  • 3. My Organization colin-demo-project What’s the Story... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 4. My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
  • 5. Agenda ● IAM in GCP ● VPC Service Controls ● Service Account Deep Dive ● GCP Demo ● Q&A
  • 7.
  • 8. Types of Roles ● Primitive Roles - created by Google (not recommended) ○ Owner ○ Editor ○ Viewer ● Predefined Roles - created by Google ○ Compute Instance Admin ○ Storage Object Viewer ○ etc. ● Custom Roles - defined by users
  • 10. What are VPC Service Controls? ● Designed to mitigate Data Exfiltration risks ○ Create perimeters around your resources, such as Storage buckets ○ Control the movement of data past the boundaries of your perimeter ○ Set conditions to allow data flow outside of the perimeter ● Independent of IAM policies ○ IAM allow access would still be blocked based on the service control perimeter
  • 11.
  • 12. Access Context Manager ● Another service that works in tandem with VPC service controls ● Allows admins to define the rules for access using certain criteria ○ Device type and operating system ○ IP address ○ User identity
  • 14. Combining the Controls ● Google says: IAM + VPC Service Controls = Defense in Depth ● IAM can be misconfigured, but the Service Controls protect you ● Everyone should be monitoring changes to these controls ○ What if someone changes the access level rule to allow all traffic from multiple countries? ○ What if somebody removes a service control perimeter?
  • 16. What is a Service Account? ● Identity for applications to authenticate ● Designed for non-human use ● Uses RSA keys instead of passwords ● Can’t access the web console ● Also considered resources – can apply bindings to them
  • 17. More about Service Accounts ● A service account must be created in a Project ● IAM bindings can be granted at any level ● Elevated Bindings = bindings at the Folder, Organization ● Google creates some service accounts automatically ● Default account for Compute Engine, App Engine, etc. ● Accounts they will use for internal processing
  • 18. Default Service Account - Compute Engine Google advises against it:
  • 19. Compute Engine Service Account Role Contains a primitive role: ● Project Editor
  • 20. Service Account Impersonation Project Editor Permissions (1894 in total) VPC Service Controls
  • 21. Binding at the Project level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 22. Binding at the Service Account Level colin-demo-project Service Account User Cloud IAM Service Account 1 Cloud IAM Service Account 2 Cloud IAM Service Account 3 Cloud IAM Service Account 4 Cloud IAM
  • 23. Permissions for Impersonating a Service Account ● Generating Service Account Keys ○ iam.serviceAccountKeys.create ○ iam.serviceAccountKeys.get ● Impersonation only ○ iam.serviceAccounts.actAs
  • 24. Why Service Account Impersonation? ● Privilege Escalation ● It’s easy to lose track: a. VMs could have service accounts b. SSH keys could be applied project-wide c. User can now operate as the service account from a VM ● Obfuscates your activity in GCP
  • 25. Access Scopes for Virtual Machines ● Legacy Method for applying permissions ● Must be set when using a service account ● Restricts API access for the service account ● Set on a per-instance basis
  • 27. My Organization colin-demo-project Our Scenario again... nsk-colin-child-bucket colin_perimeter colin-child-project Service account instance-1 Compute Engine nsk-colin-child-bucket Cloud Storage Stolen credential Shell Access
  • 28. My Organization IAM Flow colin-demo-project Stolen credential instance-1 Compute Engine Default SA Cloud IAM Org Admin Cloud IAM Org Admin Cloud IAM Shell Access SA Impersonation colin_perimeter IAM Binding colin-child-project nsk-colin-child-bucket Cloud Storage
  • 29. My Organization End Condition colin-child-project nsk-colin-child-bucket Cloud Storage colin-demo-project instance-1 Compute Engine
  • 30.
  • 31. Key Takeaways ● Keep Service Accounts with elevated bindings in their own Project(s) ○ Keep public workloads out of the Project ○ Keep the Project under lock and key ○ Service accounts in the same Project may be able to see each other ● Bind permissions to specific Service Accounts whenever possible ● Don’t use Default Service Accounts ● Avoid using Primitive Roles
  • 32. 2019 © Netskope Confidential. All rights reserved. Thank you! Colin Estep Netskope Threat Research https://www.netskope.com/blog