An attacker with access to your Google Cloud project can persist by backdooring the IAM policy of an existing service account.
When an attacker backdoors a service account, they may continue to have access for an extended period of time even when the root cause of the breach is identified and fixed.
An attacker can persist in the Google Cloud project by adding a binding to an existing service account's IAM policy that grants the attacker permissions to generate short-lived
credentials for this service account ("service account impersonation"). Any user that has the role
iam.serviceAccountTokenCreator on a service account
can impersonate it, for instance using the gcloud CLI flag
The Google Cloud Admin logs event
google.iam.admin.v1.SetIAMPolicy is generated when the IAM policy of a service account is updated. You can monitor for unusual changes,
such as service account impersonation permissions being granted on an external user.
After backdooring the service account IAM policy, when the attacker impersonates the service account, the Google Cloud Admin logs event
is generated if IAM audit logs for data access activity are enabled in your project.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate gcp.persistence.backdoor-service-account-policy
See also the related documentation.
Backdoor a GCP Service Account through its IAM Policy
Create short-lived credentials for a service account