Google Cloud Pen Testing Overview

Aug 30, 2024

Lecture Notes on Google Cloud Pen Testing

Introduction

  • Transitioning from AWS to GCP can be challenging.
  • GCP has a different model that may appeal to some users once understood.
  • Quick setup in GCP but issues with security, especially concerning service accounts.

Shared Responsibility Model

  • Google operates on a "shared fate" model, implying that if customers fail, Google fails too.
  • Google Cloud encompasses services like Google Workspace, BigQuery, and Google Analytics.

Guest Speaker: Kat Traxler from Vector.ai

  • Discussed entry points into a Google Cloud account.
  • Pen testing methodologies for GCP.
  • Comparison of GCP pen testing with AWS and Azure.
  • Importance of understanding the maturity of a client’s cloud infrastructure.

Pen Testing Methodology

  • Initial focus on understanding how to access a Google Cloud account.
  • Differences between pen testing in GCP vs AWS:
    • AWS involves role assumptions for lateral movement.
    • GCP uses service accounts for lateral movement.
  • Importance of tools: ConfigureView is more than just configuration review; it's about evidence collection.

Tools and Resources

  • Kat shared her open-source tool named DERF for simulating attacks and creating infrastructure.
  • Other tools discussed include Stratus and Stratus Red Team.

GCP Specifics

  • Understanding Google Cloud’s IAM model is crucial.
  • The complexity of services like BigQuery makes data access challenging.
  • Low-hanging fruits in GCP include default service accounts with excessive permissions.
    • Example: Default service accounts created automatically with broad editor roles, which is a security risk.

Best Practices for GCP Security

  • Encourage custom service accounts with more tightly scoped roles.
  • Organizations should enable policies to prevent automatic creation of default service accounts.
  • Understand the significance of Google Workspace in relation to Google Cloud.

Common Vulnerabilities

  • Discussed service account impersonation and cross-project service account access as risky actions.
  • Importance of monitoring third-party software for security.

Conclusion and Follow-up

  • Encouragement to share the podcast episode with others interested in cloud pen testing.
  • Reminder to subscribe to the podcast on various platforms.

Non-Technical Insights from Kat Traxler

  • Kat's enjoyment of gardening, particularly tomatoes.
  • Favorite restaurant: dosa restaurant nearby her house.

Additional Resources

  • Follow Kat on LinkedIn and Twitter for more insights.
  • Links to DERF and other mentioned tools will be provided in the episode notes.