GCP: Retrieval of project/organization IAM policy

christophetd commented 2 years ago

Sources:

https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/

https://book.hacktricks.xyz/cloud-security/gcp-security#enumeration

gcloud projects get-iam-policy sandbox
gcloud organizations get-iam-policy xxxx

Sample log:

{
  "resource": {
    "labels": {
      "project_id": "sandbox-project"
    },
    "type": "project"
  },
  "severity": "INFO",
  "receiveTimestamp": "2022-07-28T08:35:45.933806396Z",
  "insertId": "-fiy70udkd6g",
  "logName": "projects/sandbox-project/logs/cloudaudit.googleapis.com%2Fdata_access",
  "timestamp": "2022-07-28T08:35:45.549383Z",
  "protoPayload": {
    "authorizationInfo": [
      {
        "granted": true,
        "resource": "projects/sandbox-project",
        "resourceAttributes": {
          "type": "cloudresourcemanager.googleapis.com/Project",
          "name": "projects/sandbox-project",
          "service": "cloudresourcemanager.googleapis.com"
        },
        "permission": "resourcemanager.projects.getIamPolicy"
      }
    ],
    "request": {
      "resource": "sandbox-project",
      "@type": "type.googleapis.com/google.iam.v1.GetIamPolicyRequest",
      "options": {
        "requestedPolicyVersion": 3
      }
    },
    "requestMetadata": {},
    "resourceName": "projects/sandbox-project",
    "authenticationInfo": {
      "principalSubject": "user:user@domain.tld",
      "principalEmail": "user@domain.tld"
    },
    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",
    "serviceName": "cloudresourcemanager.googleapis.com"
  }
}

jonpulsifer commented 2 years ago

we should include folders in this, too, along with modification

christophetd commented 2 years ago

Thanks for your input @jonpulsifer, can you clarify what you mean?

christophetd commented 1 year ago

Sounds way too common to be a TTP, on second thoughts

DataDog / stratus-red-team

GCP: Retrieval of project/organization IAM policy #150