Jeśli chcesz przeprowadzić pentest środowiska GCP, musisz poprosić o wystarczające uprawnienia, aby sprawdzić wszystkie lub większość usług używanych w GCP. Idealnie byłoby poprosić klienta o utworzenie:
Utworzenie nowego projektu
Utworzenie konta usługi (uzyskanie poświadczeń json) lub utworzenie nowego użytkownika w tym projekcie.
Przydzielenie kontu usługi lub użytkownikowi wymienionych później ról w ORGANIZACJI
Włączenie wymienionych później w tym poście interfejsów API w utworzonym projekcie
Zestaw uprawnień do użycia narzędzi zaproponowanych później:
ScoutSuite is a powerful open-source security auditing tool for Google Cloud Platform (GCP). It helps in identifying security misconfigurations and vulnerabilities in GCP environments. ScoutSuite requires certain permissions to access and analyze the GCP resources.
To use ScoutSuite effectively, the following permissions are required:
Compute Engine: The compute.instances.list permission is needed to list the instances in the project.
Cloud Functions: The cloudfunctions.functions.list permission is required to list the functions in the project.
Cloud Storage: The storage.buckets.list permission is necessary to list the buckets in the project.
Cloud SQL: The sql.instances.list permission is needed to list the SQL instances in the project.
Cloud IAM: The iam.serviceAccounts.list permission is required to list the service accounts in the project.
Cloud Pub/Sub: The pubsub.topics.list permission is necessary to list the topics in the project.
Cloud Spanner: The spanner.instances.list permission is needed to list the Spanner instances in the project.
Cloud Firestore: The firestore.databases.list permission is required to list the Firestore databases in the project.
Cloud Bigtable: The bigtable.instances.list permission is necessary to list the Bigtable instances in the project.
Cloud Memorystore: The redis.instances.list permission is needed to list the Memorystore instances in the project.
Cloud DNS: The dns.managedZones.list permission is required to list the DNS managed zones in the project.
Cloud KMS: The cloudkms.cryptoKeys.list permission is necessary to list the KMS crypto keys in the project.
Cloud Key Management Service: The cloudkms.cryptoKeys.list permission is needed to list the KMS crypto keys in the project.
Cloud Load Balancing: The compute.backendServices.list permission is required to list the load balancing backend services in the project.
Cloud Resource Manager: The resourcemanager.projects.get permission is necessary to get project information.
Make sure to grant these permissions to the service account used by ScoutSuite to ensure accurate and comprehensive security assessments of your GCP environment.
From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions
roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer
From https://lyft.github.io/cartography/modules/gcp/config.html
roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer
From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md
roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer