GCP - Permissions for a Pentest

Jeśli chcesz przeprowadzić pentest środowiska GCP, musisz poprosić o wystarczające uprawnienia, aby sprawdzić wszystkie lub większość usług używanych w GCP. Idealnie byłoby poprosić klienta o utworzenie:

Utworzenie nowego projektu
Utworzenie konta usługi (uzyskanie poświadczeń json) lub utworzenie nowego użytkownika w tym projekcie.
Przydzielenie kontu usługi lub użytkownikowi wymienionych później ról w ORGANIZACJI
Włączenie wymienionych później w tym poście interfejsów API w utworzonym projekcie

Zestaw uprawnień do użycia narzędzi zaproponowanych później:

roles/viewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer

API-y do włączenia (z starbase):

gcloud services enable \
serviceusage.googleapis.com \
cloudfunctions.googleapis.com \
storage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com \
compute.googleapis.com \
cloudkms.googleapis.com \
sqladmin.googleapis.com \
bigquery.googleapis.com \
container.googleapis.com \
dns.googleapis.com \
logging.googleapis.com \
monitoring.googleapis.com \
binaryauthorization.googleapis.com \
pubsub.googleapis.com \
appengine.googleapis.com \
run.googleapis.com \
redis.googleapis.com \
memcache.googleapis.com \
apigateway.googleapis.com \
spanner.googleapis.com \
privateca.googleapis.com \
cloudasset.googleapis.com \
accesscontextmanager.googleapis.com

Uprawnienia dla poszczególnych narzędzi

PurplePanda

From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration

roles/bigquery.metadataViewer
roles/composer.user
roles/compute.viewer
roles/container.clusterViewer
roles/iam.securityReviewer
roles/resourcemanager.folderViewer
roles/resourcemanager.organizationViewer
roles/secretmanager.viewer

ScoutSuite

ScoutSuite is a powerful open-source security auditing tool for Google Cloud Platform (GCP). It helps in identifying security misconfigurations and vulnerabilities in GCP environments. ScoutSuite requires certain permissions to access and analyze the GCP resources.

To use ScoutSuite effectively, the following permissions are required:

Compute Engine: The compute.instances.list permission is needed to list the instances in the project.
Cloud Functions: The cloudfunctions.functions.list permission is required to list the functions in the project.
Cloud Storage: The storage.buckets.list permission is necessary to list the buckets in the project.
Cloud SQL: The sql.instances.list permission is needed to list the SQL instances in the project.
Cloud IAM: The iam.serviceAccounts.list permission is required to list the service accounts in the project.
Cloud Pub/Sub: The pubsub.topics.list permission is necessary to list the topics in the project.
Cloud Spanner: The spanner.instances.list permission is needed to list the Spanner instances in the project.
Cloud Firestore: The firestore.databases.list permission is required to list the Firestore databases in the project.
Cloud Bigtable: The bigtable.instances.list permission is necessary to list the Bigtable instances in the project.
Cloud Memorystore: The redis.instances.list permission is needed to list the Memorystore instances in the project.
Cloud DNS: The dns.managedZones.list permission is required to list the DNS managed zones in the project.
Cloud KMS: The cloudkms.cryptoKeys.list permission is necessary to list the KMS crypto keys in the project.
Cloud Key Management Service: The cloudkms.cryptoKeys.list permission is needed to list the KMS crypto keys in the project.
Cloud Load Balancing: The compute.backendServices.list permission is required to list the load balancing backend services in the project.
Cloud Resource Manager: The resourcemanager.projects.get permission is necessary to get project information.

Make sure to grant these permissions to the service account used by ScoutSuite to ensure accurate and comprehensive security assessments of your GCP environment.

From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions

roles/Viewer
roles/iam.securityReviewer
roles/stackdriver.accounts.viewer

CloudSploit

From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration

includedPermissions:
- cloudasset.assets.listResource
- cloudkms.cryptoKeys.list
- cloudkms.keyRings.list
- cloudsql.instances.list
- cloudsql.users.list
- compute.autoscalers.list
- compute.backendServices.list
- compute.disks.list
- compute.firewalls.list
- compute.healthChecks.list
- compute.instanceGroups.list
- compute.instances.getIamPolicy
- compute.instances.list
- compute.networks.list
- compute.projects.get
- compute.securityPolicies.list
- compute.subnetworks.list
- compute.targetHttpProxies.list
- container.clusters.list
- dns.managedZones.list
- iam.serviceAccountKeys.list
- iam.serviceAccounts.list
- logging.logMetrics.list
- logging.sinks.list
- monitoring.alertPolicies.list
- resourcemanager.folders.get
- resourcemanager.folders.getIamPolicy
- resourcemanager.folders.list
- resourcemanager.hierarchyNodes.listTagBindings
- resourcemanager.organizations.get
- resourcemanager.organizations.getIamPolicy
- resourcemanager.projects.get
- resourcemanager.projects.getIamPolicy
- resourcemanager.projects.list
- resourcemanager.resourceTagBindings.list
- resourcemanager.tagKeys.get
- resourcemanager.tagKeys.getIamPolicy
- resourcemanager.tagKeys.list
- resourcemanager.tagValues.get
- resourcemanager.tagValues.getIamPolicy
- resourcemanager.tagValues.list
- storage.buckets.getIamPolicy
- storage.buckets.list

Kartografia

From https://lyft.github.io/cartography/modules/gcp/config.html

roles/iam.securityReviewer
roles/resourcemanager.organizationViewer
roles/resourcemanager.folderViewer

Starbase

From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md

roles/iam.securityReviewer
roles/iam.organizationRoleViewer
roles/bigquery.metadataViewer

PreviousGCP - Federation Abuse NextGCP - Post Exploitation

Last updated 2 months ago