.png)
Do I have any Google Cloud Composer service accounts that attackers can exploit?
jdowdy
✭✭✭✭✭
I just read this article and I'm wondering if I have any Google Cloud Composer service accounts that attackers can leverage. How would I check that in JupiterOne?
0
Answers
-
The only access permissions an attacker needs to exploit a service account linked to Google Cloud Compser are the following:
- storage.objects.update
- composer.environments.get
Per the article you shared:If you can edit objects in storage buckets, then you can edit the code and update the environment. Therefore, with permissions to edit these objects, the attacker can compromise the Composer’s service account and permissions and use them as they wish.This query is helpful is helpful in finding which service accounts hold those permissions:FIND google_iam_service_account WITH email $= "[email protected]" (THAT ASSIGNED << AccessPolicy AS p1)? (THAT USES AccessRole)? THAT ASSIGNED << AccessPolicy AS p2 THAT ALLOWS >> (google_cloud_api_service | google_cloud_project | google_cloud_folder | google_cloud_organization) WHERE p1.permissions=('storage.objects.update') OR p2.permissions=('storage.objects.update')
0
This Month's Leaders
Categories
- 336 All Categories
- Featured Categories
- 7 About the AskJ1 Community
- 11 Product Announcements
- From Mission Control
- 1 Rapid Response
- 3 How J1 Uses J1
- Topics
- 131 Asset Management
- 56 Compliance & Reporting
- 65 Security Operations
- 40 Security Engineering
- 5 Open Source
- 18 News, Careers and More