Skip to content

Commit

Permalink
Fix broken GCP technique (#305)
Browse files Browse the repository at this point in the history
* Fix GCP attack technique failing to impersonate service accounts (closes #299)

* Adapt GCP attack technique error message

* Update GCP docs quote
  • Loading branch information
christophetd authored Jan 30, 2023
1 parent fad7958 commit b08d3b9
Showing 1 changed file with 18 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,21 @@ References:
- https://cloud.google.com/iam/docs/impersonating-service-accounts
`,
Detection: `
Using GCP Admin Activity audit logs event <code>GenerateAccessToken</code>.
Using GCP Admin Activity audit logs event <code>GenerateAccessToken</code>.
To get this event, you need to [enable IAM audit logs for data access activity](https://cloud.google.com/iam/docs/audit-logging#enabling_audit_logging).
More specifically, you need to enable <code>DATA_READ</code> for your GCP project, e.g. using Terraform:
` + codeBlock + `hcl
data "google_client_config" "current" {}
resource "google_project_iam_audit_config" "audit" {
project = data.google_client_config.current.project
service = "allServices"
audit_log_config {
log_type = "DATA_READ"
}
}
` + codeBlock + `
Sample successful event (shortened for clarity):
Expand Down Expand Up @@ -93,9 +107,9 @@ Sample successful event (shortened for clarity):
When impersonation fails, the generated event **does not contain** the identity of the caller, as explained in the
[GCP documentation](https://cloud.google.com/logging/docs/audit#user-id):
> For privacy reasons, the caller's principal email address is redacted from an audit log if the operation is
> read-only and fails with a "permission denied" error. The only exception is when the caller is a service
> account in the Google Cloud organization associated with the resource; in this case, the email address isn't redacted.
> Audit logging doesn't redact the caller's principal email address for any access that succeeds or for any write operation.
> For read-only operations that fail with a "permission denied" error, Audit Logging might redact the caller's principal
> email address unless the caller is a service account.
Sample **unsuccessful** event (shortened for clarity):
Expand Down

0 comments on commit b08d3b9

Please sign in to comment.