Permission Mining in GCP

Conference:  BlackHat EU 2020



The presentation discusses the importance of proactively reducing risk in cloud environments and introduces a tool called IAS Permission Mining that audits and analyzes IAM policies to identify potential vulnerabilities.
  • The IAS Permission Mining tool analyzes IAM policies to identify potential vulnerabilities and reduce risk in cloud environments.
  • The tool can identify unnecessary service account bindings and recommend more granular permissions to limit their scope.
  • The tool currently does not handle privilege escalation paths through compute engines, cloud functions, and organization policies.
  • Organization policies can prevent users from creating their own service accounts or keys for impersonation, and should be taken into account as a mitigation.
  • Proactively reducing risk in cloud environments is important to make smart decisions about where to take risks and limit potential vulnerabilities.
The speaker mentions that sometimes users set up quick permissions for testing purposes but forget to clean them up, leading to unnecessary bindings that can be removed to reduce risk. The IAS Permission Mining tool can help identify these unnecessary bindings and recommend more granular permissions to limit their scope.


Do you know exactly what each user can do in your Google Cloud Platform (GCP) environment? Do you know if you have users who can assume other identities to escalate their privileges? Do you know the effective permissions the users would have if they assume other identities? CodeSpaces went completely out of business in 2014 after an attacker used their IAM misconfiguration to delete all of their AWS infrastructure. Every enterprise should be aware of and monitoring this risk in their public cloud environments. In this talk, we'll discuss an effective strategy to assess the full Identity and Access Management (IAM) exposure of a GCP environment. We'll discuss the complexity of this problem with some real world examples, and demonstrate how a misconfigured member can escalate privileges via direct service account impersonation or by launching resources. This threat has existed for years in public cloud providers. While GCP and their recommended open-source tools address some IAM misconfiguration use cases, they do not provide full visibility into the potential for privilege escalation or lateral movement. The solution we designed provides the missing visibility. Finally, we'll cover our approach to solve this problem, which uses a graph. Once we obtain all the relevant information via API calls, the graph allows us to map-out the permissions granted to members, the structure of the GCP environment, and the service accounts. The demo will show how we designed the graph, the way we traverse it, and the output. We ran this solution in multiple environments, including production environments where we found dozens of 'shadow admin' identities. The identities were able to escalate their privileges to become administrators with control over all resources, permissions, and logging. You will see how the results were used to remediate those environments.