gcp attacks iam Inviting an external user to a Google Cloud project

Inviting an external user to a Google Cloud project

PLATFORM

SERVICE

iam

DATA BREACHES

unknown

LAST UPDATED

EXPLOITABILITY Exploitability of a vulnerability measures how easy it is for an attacker to discover and exploit the vulnerability, some might refer to this as likelihood.

IMPACT How impactful to your environment and organization a successful exploitation of this vulnerability is expected to be.

high

high

About

An attacker with access to your Google Cloud project can persist by inviting an external malicious user to the project.

Understanding Impact

Business Impact

When an attacker invites an external malicious user to a Google Cloud environment, they may continue to have access for an extended period of time even when the root cause of the breach is identified and fixed.

Technical Impact

An attacker can persist in the Google Cloud project by adding a binding to the project's IAM policy that grants the malicious user a privileged role, for instance using:

gcloud projects add-iam-policy-binding victim-gcp-project \
  --member="user:malicious@example.com" --role="roles/editor"

Or by using the Google Cloud console.

Detection

The Google Cloud Admin logs event InsertProjectOwnershipInvite is generated when a principal is invited to a Google Cloud project as an owner. The event SetIamPolicy is generated when a principal is granted other permissions, such as editor, at the project level.

Sample events are reproduced below, shortened for the sake of clarity.

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "serviceName": "cloudresourcemanager.googleapis.com",
    "methodName": "InsertProjectOwnershipInvite",
    "resourceName": "projects/target-project",
    "request": {
      "member": "user:attacker@gmail.com",
      "projectId": "target-project",
      "@type": "type.googleapis.com/google.internal.cloud.resourcemanager.InsertProjectOwnershipInviteRequest"
    },
    "response": {
      "@type": "type.googleapis.com/google.internal.cloud.resourcemanager.InsertProjectOwnershipInviteResponse"
    }
  }
}

{
  "protoPayload": {
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "serviceName": "cloudresourcemanager.googleapis.com",
    "methodName": "SetIamPolicy",
    "serviceData": {
      "@type": "type.googleapis.com/google.iam.v1.logging.AuditData",
      "policyDelta": {
        "bindingDeltas": [
          {
            "action": "ADD",
            "role": "roles/editor",
            "member": "user:attacker@gmail.com"
          }
        ]
      }
    },
    "request": {
      "resource": "target-project",
      "policy": {
        // ...
      },
      "@type": "type.googleapis.com/google.iam.v1.SetIamPolicyRequest"
    }
}

Reproduce the attack

You can easily reproduce this attack in a self-contained manner with Stratus Red Team using the following command:

stratus detonate gcp.persistence.invite-external-user

See also the related documentation.

How Datadog can help

Cloud SIEM

Datadog Cloud SIEM detects this attack using the out-of-the-box rule "External principal assigned a privileged role on a Google Cloud Project".

References

Invite an external user to a Google Cloud project

stratus-red-team.cloud

Manage project members or change project ownership

gcp documentation

Did you find this article helpful?

work with us

We're always looking for talented people to collaborate with

featured positions

We have 10 positions

view all