google.iam.admin.v1.CreateRole

​

Event Information

• The google.iam.admin.v1.CreateRole event in GCP for GCPIAM refers to the creation of a new custom role in the Google Cloud Identity and Access Management (IAM) service.
• This event indicates that a user or service account has created a new role with specific permissions and access controls within the GCP project.
• The CreateRole event is important for auditing and tracking purposes, as it allows administrators to monitor and review the creation of custom roles in the GCP IAM service.

​

Examples

1. Unauthorized creation of roles: If security is impacted with google.iam.admin.v1.CreateRole in GCP for GCPIAM, it could potentially allow unauthorized users to create custom roles within the project. This can lead to the creation of roles with excessive privileges or roles that bypass existing security controls, increasing the risk of unauthorized access and potential data breaches.

2. Privilege escalation: The misuse of google.iam.admin.v1.CreateRole in GCP for GCPIAM can also result in privilege escalation attacks. An attacker with access to this API can create roles with higher privileges than their original role, granting them unauthorized access to sensitive resources and data within the project.

3. Role misconfiguration: Improper usage of google.iam.admin.v1.CreateRole in GCP for GCPIAM can lead to role misconfigurations. This can occur when roles are created without proper consideration of the principle of least privilege, resulting in excessive permissions being granted to users or service accounts. Such misconfigurations can increase the attack surface and make it easier for attackers to exploit vulnerabilities within the project.

​

Remediation

​

Using Console

1. Example 1: Ensure that all users have a strong password policy in GCP IAM.

• Step 1: Log in to the GCP Console.
• Step 2: Navigate to the IAM & Admin section.
• Step 3: Click on “IAM” to view the list of users.
• Step 4: Select the user for whom you want to enforce a strong password policy.
• Step 5: Click on the “Edit” button next to the user’s name.
• Step 6: Scroll down to the “Password” section and enable the option for a strong password policy.
• Step 7: Save the changes.

2. Example 2: Ensure that multi-factor authentication (MFA) is enabled for all users in GCP IAM.

• Step 1: Log in to the GCP Console.
• Step 2: Navigate to the IAM & Admin section.
• Step 3: Click on “IAM” to view the list of users.
• Step 4: Select the user for whom you want to enable MFA.
• Step 5: Click on the “Edit” button next to the user’s name.
• Step 6: Scroll down to the “Multi-factor authentication” section and enable the option for MFA.
• Step 7: Save the changes.

3. Example 3: Ensure that unused service accounts are disabled in GCP IAM.

• Step 1: Log in to the GCP Console.
• Step 2: Navigate to the IAM & Admin section.
• Step 3: Click on “Service accounts” to view the list of service accounts.
• Step 4: Select the service account that you want to disable.
• Step 5: Click on the “Disable” button next to the service account’s name.
• Step 6: Confirm the action to disable the service account.
• Step 7: Repeat steps 4-6 for any other unused service accounts that need to be disabled.

​

Using CLI

To remediate the issues related to GCP GCPIAM using GCP CLI, you can follow these steps:

1. Enable multi-factor authentication (MFA) for IAM users:

   • Use the gcloud command to enable MFA for a specific user:

     gcloud auth login
     gcloud auth application-default login
     

   • Follow the prompts to complete the MFA setup.

2. Implement least privilege access control:

   • Use the gcloud command to create a custom IAM role with the necessary permissions:

     gcloud iam roles create <role_name> --project=<project_id> --title="<role_title>" --description="<role_description>" --permissions=<comma_separated_permissions>
     

   • Assign the custom IAM role to the appropriate users or service accounts:

     gcloud projects add-iam-policy-binding <project_id> --member=<member> --role=<role_name>
     

3. Regularly review and rotate access keys:

   • Use the gcloud command to list all the service accounts in a project:

     gcloud iam service-accounts list --project=<project_id>
     

   • For each service account, use the gcloud command to create a new key and delete the old key:

     gcloud iam service-accounts keys create <new_key_file> --iam-account=<service_account_email> --project=<project_id>
     gcloud iam service-accounts keys delete <old_key_file> --iam-account=<service_account_email> --project=<project_id>
     

Please note that the actual commands may vary depending on your specific requirements and configurations. Make sure to replace the placeholders (<role_name>, <project_id>, <member>, <new_key_file>, <old_key_file>, etc.) with the appropriate values.

​

Using Python

To remediate GCP GCPIAM issues using Python, you can utilize the Google Cloud Identity and Access Management (GCPIAM) API. Here are three examples of how you can use Python to address these issues:

1. Granting IAM Roles:

   • Use the google-cloud-iam library to create a service account and grant it the necessary IAM roles.
   • Example Python script:

     from google.cloud import iam
     
     client = iam.IAMClient()
     policy = client.get_policy(request={"resource": "projects/PROJECT_ID"})
     policy.bindings.add(role="roles/ROLE_NAME", members=["user:USER_EMAIL"])
     client.set_policy(request={"resource": "projects/PROJECT_ID", "policy": policy})
     

2. Enforcing IAM Policies:

   • Use the google-cloud-asset library to retrieve the current IAM policies and enforce the desired policies.
   • Example Python script:

     from google.cloud import asset
     
     client = asset.AssetServiceClient()
     response = client.export_assets(request={"parent": "projects/PROJECT_ID", "output_config": {"gcs_destination": {"uri": "gs://BUCKET_NAME/exported_assets"}}})
     

3. Monitoring IAM Changes:

   • Use the google-cloud-logging library to set up a log sink and receive notifications for IAM changes.
   • Example Python script:

     from google.cloud import logging_v2
     
     client = logging_v2.LoggingServiceV2Client()
     response = client.create_sink(request={"parent": "projects/PROJECT_ID", "sink": {"name": "SINK_NAME", "destination": "pubsub.googleapis.com/projects/PROJECT_ID/topics/TOPIC_NAME"}})
     

Please note that you need to replace PROJECT_ID, ROLE_NAME, USER_EMAIL, BUCKET_NAME, SINK_NAME, and TOPIC_NAME with the appropriate values specific to your GCP environment.