"allUsers/allAuthenticatedUsers" : An ATT&CK tale of the "evil-twin" GCP IAM principals

While issuing IAM permissions in GCP, 2 principals, “allUsers” and “allAuthenticatedUsers” could be used for seemingly innocuous use-cases by developers. But, what if it’s possible to “pwn” an entire GCP project because of just these 2 “evil-twin” principals? If you’re curious, this talk’s for you

Description: Several research reports and threat reports have been published on what constitutes the most number of cloud security threats. Not surprisingly, misconfigurations such as misconfigured storage services for example, accounted for close to 200 breaches exposing more than 30 billion records, in 93 percent of cloud deployments between 2018-2021, according to a report from Accurics, which predicted that cloud breaches are likely to increase in both velocity and scale. GCP like other cloud platforms is being adopted at a rapid rate by the market thereby emphasizing the importance of securing GCP deployments from misconfigurations. In this talk we will be dealing with one type of misconfiguration commonly seen in GCP deployments: Granting access to “principals” that are outside of an organization’s scope.

In GCP’s Identity and Access Management model, a “principal” can be a Google Account (for end users), a service account (for apps and virtual machines), a Google group, or a Google Workspace or Cloud Identity domain that can access a resource and a “role” is a collection of permissions that one can assign to a “principal”. The “allUsers” in GCP is a principal that represents anyone who is on the internet, including authenticated and unauthenticated users. “allAuthenticatedUsers” , on the other hand is a principal or IAM identifier that represents all service accounts and all users on the internet who have authenticated with a Google Account. By using either/both of these principals on specific types of resources/products within GCP and by assigning specific types of IAM roles to these two principals, one can open up the environment to a range of attacks. In this talk, we venture into what these attack paths are. We will specifically be going through demonstrations of attack scenarios on 3 specific GCP services : 1. GCP Cloud Storage 2. GCP Cloud Functions and 3. GCP Cloud Run. To explain attack progression paths in all these 3 scenarios, we will be mapping our attack techniques to the industry-standard MITRE ATT&CK framework. At the end of this talk, the audience will walk away with a) the knowledge of possible threats while using “allUsers”/”allAuthenticatedUsers” for seemingly innocuous developer use-cases on services like GCP Storage, Cloud Functions and Cloud Run b) a prevention strategy to thwart these attack pathways at the GCP “organization” level by means of using “org-wide” policy constraints and c) a detection strategy to spot misconfigurations pertaining to these 2 principals either through Stack-driver logs or the Google Asset Inventory API

Requirements: Basic/fundamental knowledge of the GCP IAM model or of cloud identities in general. Knowledge of MITRE ATT&CK framework and a general understanding of how prevention and detection strategies work in GCP.

I believe that I can share these insights with the audience because I have had experience building threat hunting campaigns and detections for Cloud resources in my role as a lead threat-hunter at Palo Alto Networks. I have also given talks at forums like SANS, siberX etc on Threat Hunting and Cloud Security. Links to some of my presentations in the past : - Mindmap your way into the Cloud: A framework for hunting on AWS and GCP : https://www.youtube.com/watch?v=f5n5QAOLIyU - Threat Hunting in the Dark Side of the Internet: https://www.youtube.com/watch?v=VLrtmVlp2G8&t=1s