Google Cloud’s security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API’s. Instead of defaulting to no capabilities, permissions are granted to default identities. One default permission these identities have is called actAs, which allows a service by default to assume the identity of every service account in its project; many of which typically have role bindings into other projects and across an organization’s resources.
This means by default many API’s and identities can compromise large swaths of an organization by moving laterally by impersonating or gaining access to other identities. This can all be done without dropping a single implant on a machine.
In this talk, we’ll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. We will also release tools for exploitation.
Next, we’ll show what detection capabilities are possible in the Google Cloud ecosystem, by showing Stackdriver logs that correspond with our exploitation techniques, and showing limitations in what’s available. We’ll also release tools and queries that can be used for detection as well as insight to how we have attempted to tackle this problem at scale.
Lastly, we’ll go over remediation efforts you can take as a Google cloud customer, and show how difficult it can be to secure yourself against these attacks. We will release tools that can be used to harden your organization, and walk through user stories and anecdotes of what this process looks at scale within our organization.