Filmed for the Dark Reading News Desk at Black Hat Virtual. Excerpts below.
DYLAN AYREY: The [Google Cloud Platform] ActAs permission is a permission that can be used to attach an identity to a resource that you’ve provisioned. So it can be used by an attacker because if one identity that an attacker has control over can itself attach other identities to resources that the attacker would [then] have full control over, then they can use that to elevate their permissions. ...
ALLISON DONOVAN: There are a few different cool ways to mitigate these problems from the start to try to take a proactive approach to securing your [identity and access management] around your resources in GCP. One really cool mitigation that we were working with GCP on … providing platform-level configurations that enabled you to remove IAM permissions from some of the default identities that are created in GCP – specifically the Compute Engine service account and the App Engine service accounts.