Home

GCP Security Domains

Many of these are covered by the CIS GCP Foundation Benchmark.

IAM

• the use and privileges of service accounts
• See Google IAM Analyzer for specific use cases of IAM concerns (e.g. iam.serviceAccounts.actAs permissions or finding resources which are granted any role/permission to a specified identity)
• the use and rotation of security keys
• See section 1 of CIS GCP Foundation Benchmark

Networking

• Ensure management access is not permitted from the Internet (e.g. SSH/RDP)
• Default network does not exist in a project
• VPC peering between projects does not allow unintended access to sensitive networks
• See section 3 of CIS GCP Foundation Benchmark
• Outbound traffic must be disabled to avoid data exfiltration concerns. DNS recursive queries must be disabled too for the same reason.

Storage

• Verify Buckets and Objects are not vulnerable to public enumeration through default naming conventions
• Access permissions to storage buckets
• Searches for sensitive info (e.g. creds) that could lead to privesc
• Verify logging and versioning are enabled
• See section 5 of CIS GCP Foundation Benchmark

Logging

• Ensure Cloud Audit Logging across all services and users in a project
• See section 2 of CIS GCP Foundation Benchmark (Many custom logging filters and alerts are listed here)

Compute Engine (CE) Hardening

Many of the same aspects of normal OS privilege escalation apply here. Target will typically be Ubuntu and built off GCP CIS hardened base image. Things to look for that are specific to GCP include

• Ability to Write Custom GCP Metadata for CE Instances. An attacker may be able to escalate his privileges by adding SSH keys to custom metadata and switch to another user in the system that is sudoer (see Gitlab article).
• Sensitive scripts/values written to GCP Metadata. Any startup scripts need to be manually reviewed for business logic bugs. The integrity of any downloaded software needs to be validated (e.g. verification of checksums or PGP signatures), unless they originate from a trusted source within GCP (e.g. a GCP bucket). Any downloaded configuration files or keys need to be stored in the filesystem with the right permissions.

view project metadata

$ curl "http://metadata.google.internal/computeMetadata/v1/project/attributes/?recursive=true&alt=text" \ -H "Metadata-Flavor: Google"

view instance metadata

$ curl "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=true&alt=text" \ -H "Metadata-Flavor: Google"

• User home directory permissions
• Config files with service account keys $ sudo find / -name "gcloud"
• See section 4 of CIS GCP Foundation Benchmark

Forseti-Specific

• Forseti relies on MySQL to store policies and rules. Ensure MySQL is hardened.
• Default user is "forseti_security_user". Verify that the password of the user is not exposed.

Other Services

• App-Engine
• BigQuery
• Database Services

Resources:

GCP Hardening Guides

• CIS GCP Foundation Benchmark

Relavant Blogs

• Gitlab RT Article about privesc in GCP
• Rhino Labs Article on GCP privesc

Con Videos

• DEF CON Safe Mode - Dylan Ayrey and Allison Donovan - Lateral Movement & Privilege Escalation in GCP
• BSidesSF 2020 - The GCP Metadata API (Dylan Ayrey • Allison Donovan)

Scripts/Tools:

• Scout Suite
• Rhino Labs PrivEscScanner
• gcp_misc
• gcp_enum
• gcp_firewall_enum
• gcploit