142 lines
4.0 KiB
Plaintext
142 lines
4.0 KiB
Plaintext
Excessive granting of GCP IAM permissions can allow attackers to exploit an
|
|
organization's cloud resources with malicious intent.
|
|
|
|
To prevent improper creation or deletion of resources after an account is
|
|
compromised, proactive measures include both following GCP Security Insights
|
|
and ensuring custom roles contain as few privileges as possible.
|
|
|
|
After gaining a foothold in the target infrastructure, sophisticated attacks
|
|
typically consist of two major parts. +
|
|
First, attackers must deploy new resources to carry out their malicious intent.
|
|
To guard against this, operations teams must control what unexpectedly appears
|
|
in the infrastructure, such as what is:
|
|
|
|
* added
|
|
* written down
|
|
* updated
|
|
* started
|
|
* appended
|
|
* applied
|
|
* accessed.
|
|
|
|
Once the malicious intent is executed, attackers must avoid detection at all
|
|
costs. +
|
|
To counter attackers' attempts to remove their fingerprints, operations teams
|
|
must control what unexpectedly disappears from the infrastructure, such as what
|
|
is:
|
|
|
|
* stopped
|
|
* disabled
|
|
* canceled
|
|
* deleted
|
|
* destroyed
|
|
* detached
|
|
* disconnected
|
|
* suspended
|
|
* rejected
|
|
* removed.
|
|
|
|
For operations teams to be resilient in this scenario, their organization must
|
|
apply both:
|
|
|
|
* Detection security: log these actions to better detect malicious actions.
|
|
* Preventive security: review and limit granted permissions.
|
|
|
|
This rule raises an issue when a custom role grants a number of sensitive permissions
|
|
(read-write or destructive permission) that is greater than a given parameter.
|
|
|
|
== Ask Yourself Whether
|
|
|
|
* This custom role will be mostly used for read-only purposes.
|
|
* Compliance policies require read-only access.
|
|
|
|
There is a risk if you answered yes to any of these questions.
|
|
|
|
== Recommended Secure Coding Practices
|
|
|
|
To reduce the risks associated with this role after a compromise:
|
|
|
|
* Reduce the list of permissions to grant only those that are actually needed.
|
|
* Favor read-only over read-write.
|
|
|
|
== Sensitive Code Example
|
|
|
|
This custom role grants more than 5 sensitive permissions:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_project_iam_custom_role" "example" {
|
|
permissions = [ # Sensitive
|
|
"resourcemanager.projects.create", # Sensitive permission
|
|
"resourcemanager.projects.delete", # Sensitive permission
|
|
"resourcemanager.projects.get",
|
|
"resourcemanager.projects.list",
|
|
"run.services.create", # Sensitive permission
|
|
"run.services.delete", # Sensitive permission
|
|
"run.services.get",
|
|
"run.services.getIamPolicy",
|
|
"run.services.setIamPolicy", # Sensitive permission
|
|
"run.services.list",
|
|
"run.services.update", # Sensitive permission
|
|
]
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
This custom role grants less than 5 sensitive permissions:
|
|
|
|
[source,terraform]
|
|
----
|
|
resource "google_project_iam_custom_role" "example" {
|
|
permissions = [
|
|
"resourcemanager.projects.get",
|
|
"resourcemanager.projects.list",
|
|
"run.services.create",
|
|
"run.services.delete",
|
|
"run.services.get",
|
|
"run.services.getIamPolicy",
|
|
"run.services.list",
|
|
"run.services.update",
|
|
]
|
|
}
|
|
----
|
|
|
|
== See
|
|
|
|
* https://cloud.google.com/iam/docs/recommender-overview[GCP Docs] - Enforce least privilege with role recommendations
|
|
* https://cloud.google.com/iam/docs/manage-policy-insights[GCP Docs] - Security Insights
|
|
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Boken Access Control
|
|
* https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[OWASP Top 10 2017 Category A5] - Broken Access Control
|
|
* https://cwe.mitre.org/data/definitions/668[MITRE, CWE-668] - Exposure of Resource to Wrong Sphere
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
* Primary Message: This role grants more than ``max`` sensitive permissions. Make sure they are all required.
|
|
* Secondary Message: Sensitive permission: read-write or destructive
|
|
|
|
=== Parameters
|
|
|
|
.max
|
|
****
|
|
|
|
----
|
|
5
|
|
----
|
|
|
|
Number of sensitive permissions for a custom role.
|
|
****
|
|
|
|
=== Highlighting
|
|
|
|
Highlight the sensitive list item.
|
|
|
|
endif::env-github,rspecator-view[]
|