Misconfigurations with Google Cloud IAM

Introduction

Identity and Access Management (IAM) lets administrators authorize who can take action on specific resources, giving you full control and visibility to manage Google Cloud resources. Google Cloud IAM allows users and service accounts to be created so that resources can be used, updated and manipulated by IAM entities per the roles assigned to them.

What are we going to cover

We will take a look at what Google IAM looks like, common IAM entities and most common security weaknesses that can cause users and service accounts to become over privileged.

Misconfigurations and Attacks (Discussion)

In our demo setup, we have various users and service accounts that are configured for different purposes based on what resource access is required etc.

The following misconfigurations are evident:

Users / User Principals

The following users appear to be outside the organization and have extra privileges

  • riyazwalikar@gmail.com

  • rjrocks1337@gmail.com

outside users

The Editor role permission for example that is usually assigned to users and service accounts to give permissions to perform actions within Google Cloud but not perform administrative tasks actually has a lot of permissions that can be abused.

editor role

The security insights feature of Google Cloud IAM provides an opinion regarding the number of excess permissions on IAM principals. Security insights show patterns in how a principal accesses a resource. Using machine learning, Google Cloud analyzes these insights to recommend ways to safely make those principals more secure.

Take this only as prescriptive guidance and not as absolute instructions as each infrastructure is unique.

excess perms

Service Accounts

Service accounts are used by resources to perform cloud related activities. For example, if a VM instance wants to write to Google Storage bucket it will need to generate a token to perform the necessary action.

service account

In this example, the service account shown - 1097328787363-compute@developer.gserviceaccount.com has the priviliged Project IAM Admin attached.

API Keys

API Keys can be generated to perform actions in the Google Cloud account. All the keys in the Google Cloud account are visible under https://console.cloud.google.com/apis/credentials?

API keys are used to access enabled APIs.

API keys

API keys can be configured to be restricted using various source parameters like HTTP referrers, IP addresses, Android or iOS Apps or service level restrictions.

api restrictions

API restrictions are also available on the service that needs to be accessed by the API key.

API restrictions by service

Additional Information

PreviousGoogle Cloud IAMNextStealing API Keys and Service Account Tokens

Last updated