Security engineer Dylan Ayrey and Cruise senior infrastructure security engineer Allison Donovan describe fundamental weaknesses in GCP identity management that enable privilege escalation and lateral movement.

Dark Reading Staff, Dark Reading

August 6, 2020

1 Min Read

Filmed for the Dark Reading News Desk at Black Hat Virtual. Excerpts below.

DYLAN AYREY: The [Google Cloud Platform] ActAs permission is a permission that can be used to attach an identity to a resource that you’ve provisioned. So it can be used by an attacker because if one identity that an attacker has control over can itself attach other identities to resources that the attacker would [then] have full control over, then they can use that to elevate their permissions. ...

ALLISON DONOVAN: There are a few different cool ways to mitigate these problems from the start to try to take a proactive approach to securing your [identity and access management] around your resources in GCP. One really cool mitigation that we were working with GCP on … providing platform-level configurations that enabled you to remove IAM permissions from some of the default identities that are created in GCP – specifically the Compute Engine service account and the App Engine service accounts.

Related content:

Read more about:

Black Hat News

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights