GCP - Permissions for a Pentest

As jy 'n GCP-omgewing wil pentest, moet jy genoeg toestemmings vra om alle of die meeste dienste wat in GCP gebruik word, te ondersoek. Ideaal gesproke, moet jy die klient vra om die volgende te skep:

  • Skep 'n nuwe projek

  • Skep 'n Diensrekening binne daardie projek (kry json-legitimasie) of skep 'n nuwe gebruiker.

  • Gee die Diensrekening of die gebruiker die rolle wat later genoem word, oor die ORGANISASIE

  • Aktiveer die API's wat later in hierdie pos genoem word in die geskepte projek

Stel van toestemmings om die voorgestelde gereedskap te gebruik:

roles/viewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer

API's om te aktiveer (vanaf starbase):

gcloud services enable \
serviceusage.googleapis.com \
cloudfunctions.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
compute.googleapis.com \
cloudkms.googleapis.com \
sqladmin.googleapis.com \
bigquery.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
logging.googleapis.com \
monitoring.googleapis.com \
binaryauthorization.googleapis.com \
pubsub.googleapis.com \
appengine.googleapis.com \
run.googleapis.com \
redis.googleapis.com \
memcache.googleapis.com \
apigateway.googleapis.com \
spanner.googleapis.com \
privateca.googleapis.com \
cloudasset.googleapis.com \
accesscontextmanager.googleapis.com

Individuele gereedskap toestemmings

From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration

roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/secretmanager.viewer

From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions

roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer

CloudSploit is an open-source security scanner designed specifically for cloud environments. It provides a comprehensive set of checks to identify security vulnerabilities and misconfigurations in your cloud infrastructure. CloudSploit supports multiple cloud providers, including GCP.

CloudSploit can be used to scan your GCP environment and identify potential security issues. It checks for various misconfigurations, such as open ports, weak access controls, unused resources, and more. By running regular scans with CloudSploit, you can proactively identify and address security risks in your GCP environment.

To use CloudSploit with GCP, you need to configure the cloud provider settings in the CloudSploit configuration file. This includes providing the necessary credentials and permissions for CloudSploit to access your GCP environment. Once configured, you can run scans using the CloudSploit command-line interface or integrate it into your CI/CD pipeline for continuous monitoring.

CloudSploit provides detailed reports and recommendations for each security check it performs. It also supports custom policies, allowing you to define your own security rules and checks. By leveraging CloudSploit's capabilities, you can enhance the security of your GCP environment and ensure compliance with best practices and industry standards.

From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration

includedPermissions:
- cloudasset.assets.listResource
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- cloudsql.instances.list
- cloudsql.users.list
- compute.autoscalers.list
- compute.backendServices.list
- compute.disks.list
- compute.firewalls.list
- compute.healthChecks.list
- compute.instanceGroups.list
- compute.instances.getIamPolicy
- compute.instances.list
- compute.networks.list
- compute.projects.get
- compute.securityPolicies.list
- compute.subnetworks.list
- compute.targetHttpProxies.list
- container.clusters.list
- dns.managedZones.list
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- logging.logMetrics.list
- logging.sinks.list
- monitoring.alertPolicies.list
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.resourceTagBindings.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
- resourcemanager.tagKeys.list
- resourcemanager.tagValues.get
- resourcemanager.tagValues.getIamPolicy
- resourcemanager.tagValues.list
- storage.buckets.getIamPolicy
- storage.buckets.list

From https://lyft.github.io/cartography/modules/gcp/config.html

roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer

From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md

roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer

Last updated