About
An attacker with access to your Google Cloud project can persist by backdooring the IAM policy of an existing service account.
Understanding Impact
Business Impact
When an attacker backdoors a service account, they may continue to have access for an extended period of time even when the root cause of the breach is identified and fixed.
Technical Impact
An attacker can persist in the Google Cloud project by adding a binding to an existing service account's IAM policy that grants the attacker permissions to generate short-lived
credentials for this service account ("service account impersonation"). Any user that has the role iam.serviceAccountTokenCreator on a service account
can impersonate it, for instance using the gcloud CLI flag --impersonate-service-account.
Detection
The Google Cloud Admin logs event google.iam.admin.v1.SetIAMPolicy is generated when the IAM policy of a service account is updated. You can monitor for unusual changes,
such as service account impersonation permissions being granted on an external user.
After backdooring the service account IAM policy, when the attacker impersonates the service account, the Google Cloud Admin logs event GenerateAccessToken
is generated if IAM audit logs for data access activity are enabled in your project.
Reproduce the attack
You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:
stratus detonate gcp.persistence.backdoor-service-account-policySee also the related documentation.
References
Backdoor a GCP Service Account through its IAM Policy
stratus-red-team.cloud
Create short-lived credentials for a service account
gcp documentation