Coconote
AI notes
AI voice & video notes
Export note
Try for free
Google Cloud Pen Testing Overview
Aug 30, 2024
Lecture Notes on Google Cloud Pen Testing
Introduction
Transitioning from AWS to GCP can be challenging.
GCP has a different model that may appeal to some users once understood.
Quick setup in GCP but issues with security, especially concerning service accounts.
Shared Responsibility Model
Google operates on a "shared fate" model, implying that if customers fail, Google fails too.
Google Cloud encompasses services like Google Workspace, BigQuery, and Google Analytics.
Guest Speaker: Kat Traxler from Vector.ai
Discussed entry points into a Google Cloud account.
Pen testing methodologies for GCP.
Comparison of GCP pen testing with AWS and Azure.
Importance of understanding the maturity of a client’s cloud infrastructure.
Pen Testing Methodology
Initial focus on understanding how to access a Google Cloud account.
Differences between pen testing in GCP vs AWS:
AWS involves role assumptions for lateral movement.
GCP uses service accounts for lateral movement.
Importance of tools: ConfigureView is more than just configuration review; it's about evidence collection.
Tools and Resources
Kat shared her open-source tool named
DERF
for simulating attacks and creating infrastructure.
Other tools discussed include
Stratus
and
Stratus Red Team
.
GCP Specifics
Understanding Google Cloud’s IAM model is crucial.
The complexity of services like BigQuery makes data access challenging.
Low-hanging fruits in GCP include default service accounts with excessive permissions.
Example: Default service accounts created automatically with broad editor roles, which is a security risk.
Best Practices for GCP Security
Encourage custom service accounts with more tightly scoped roles.
Organizations should enable policies to prevent automatic creation of default service accounts.
Understand the significance of Google Workspace in relation to Google Cloud.
Common Vulnerabilities
Discussed service account impersonation and cross-project service account access as risky actions.
Importance of monitoring third-party software for security.
Conclusion and Follow-up
Encouragement to share the podcast episode with others interested in cloud pen testing.
Reminder to subscribe to the podcast on various platforms.
Non-Technical Insights from Kat Traxler
Kat's enjoyment of gardening, particularly tomatoes.
Favorite restaurant: dosa restaurant nearby her house.
Additional Resources
Follow Kat on LinkedIn and Twitter for more insights.
Links to DERF and other mentioned tools will be provided in the episode notes.
📄
Full transcript