Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs - Gabriel Fried
Summary
TLDRIn this insightful talk, Gabrielle Freed, a senior security researcher, delves into Google Cloud Platform (GCP) audit logs, focusing on the principal part and its significance in cybersecurity. He explains the importance of understanding identities—users, workload identities, and service accounts—in the context of GCP. Freed discusses the concept of impersonation, delegation chains, and the unique challenges in identifying service agents. He also touches on the practical aspects of investigating incidents within GCP environments, providing valuable insights for securing cloud-based operations.
Takeaways
- 🔒 The importance of understanding who accessed or modified GCP projects is emphasized for reducing time loss and avoiding unnecessary financial losses in cybersecurity incidents.
- 👤 The script introduces three main identity types in GCP: users, workload identities, and service accounts, each serving different purposes and access methods within the GCP environment.
- 🔑 Service accounts in GCP are used for service-to-service operations and can be identified by the 'gs://service-account.com' prefix. They can be user-managed or Google-managed, with different authentication and access control mechanisms.
- 🔄 The concept of service account impersonation is explained, allowing one service account to act on behalf of another, which can be legitimate for tasks like delegated access or potentially malicious for privilege escalation.
- 🔗 Delegation chains are highlighted as a series of impersonations where a service account may need to impersonate multiple other service accounts to access resources, which is crucial for tracing back the origin of operations in an incident.
- 📝 The structure of cloud audit logs is detailed, including authentication info and service account delegation info, which are vital for understanding the 'who, what, and where' of actions taken within GCP.
- 📡 Workload identities offer a solution for external entities to access GCP resources securely without the need for managing keys, using an IDP trust and token exchange process.
- 👥 Workforce identity federation is mentioned as a similar solution for human users, allowing them direct access to GCP resources after authentication with an IDP, without the need for impersonation.
- 🕵️♂️ The speaker suggests using the knowledge of identities and logs to investigate incidents effectively, tracing actions back to their origin and understanding the context of operations within GCP.
- ⚠️ The script warns about cases where Google redacts caller IPs or identities for privacy reasons, and advises checking Google's documentation for understanding such cases in logs.
- 📈 The talk concludes with a call to action for attendees to review their GCP logs to understand the activities, and in time, to be able to write detections based on their environment's impersonation patterns.
Q & A
What is the main focus of the talk 'Who Touched My GCP Project'?
-The talk focuses on understanding the principal part in Cloud audit logs to identify who performed actions within a GCP project, which is crucial for security incident investigation and resolution.
Why is it important to understand who touched a GCP project?
-Understanding who touched a GCP project is important to reduce time loss and potential financial loss due to false investigations, and to quickly resolve security incidents by identifying the actions and impacts of the involved entities.
What is the role of Periso in cloud security?
-Periso is a threat detection company that provides a purpose-built platform for detecting threats in cloud-based environments. It uses human and non-human identity attribution to analyze data across authentication boundaries for actionable detections.
What are the three main identity types in GCP?
-The three main identity types in GCP are users, workload identities, and service accounts. Users are human entities, workload identities are for external entities, and service accounts are for service-to-service operations.
What are the two main sections of cloud audit logs in GCP?
-The two main sections of cloud audit logs in GCP are data access and admin activity. Data access logs record access to certain data, while admin activity logs record administrative operations.
What is a service account in GCP and how is it used?
-A service account in GCP provides an identity for a resource to access another resource. It is used for service-to-service operations, such as when an application on a VM needs to access a GCP bucket.
What are the two methods of accessing a service account in GCP?
-The two methods of accessing a service account in GCP are activation and impersonation. Activation involves logging in as the service account, while impersonation allows a service account to act on behalf of a user to access a resource.
What is the purpose of service account impersonation in GCP?
-Service account impersonation allows a service account to act on behalf of a user to access a resource. It can be used for legitimate cases like delegating access or for malicious purposes such as data exfiltration or privilege escalation.
What is a service agent in GCP and how does it differ from a service account?
-A service agent in GCP acts on behalf of certain services and is usually attached to them for logging operations. Unlike service accounts, service agents are completely managed by Google and cannot be impersonated.
What is workload identity and how does it provide a solution for external entities accessing GCP resources?
-Workload identity provides external cloud providers or SaaS applications with an identity to access GCP resources without the need for keys. It uses keyless authentication through an IDP trust to GCP, allowing external entities to authenticate and access GCP resources securely.
What is the significance of the Google Kubernetes Engine default service account in the context of the talk?
-The Google Kubernetes Engine default service account is significant because it is often used for operations within the Kubernetes environment. Any operation from a VM, even with an attached service account, happens through a delegation from the default service account, which is an important behavior to recognize during investigations.
Outlines
Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantMindmap
Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantKeywords
Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantHighlights
Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantTranscripts
Cette section est réservée aux utilisateurs payants. Améliorez votre compte pour accéder à cette section.
Améliorer maintenantVoir Plus de Vidéos Connexes
Google Cloud Platform Tutorial - Part #1 | Introduction to GCP | Cloud Computing Basics | @SCALER
Cloud Security is the FUTURE! - Here's Why
Google Compute Engine Tutorial | Google Compute Services Overview | GCP Training | Edureka
AWS vs Azure vs GCP | Amazon Web Services vs Microsoft Azure vs Google Cloud Platform | Simplilearn
GCP Data Engineer Live Q&A for job readiness
Build a Powerful Home SIEM Lab Without Hassle! (Step by Step Guide)
5.0 / 5 (0 votes)
