Event Information

  • The google.iam.admin.v1.UndeleteRole event in GCP for GCPIAM refers to the action of restoring a previously deleted role in the Google Cloud Identity and Access Management (IAM) system.
  • This event indicates that a role, which was previously deleted by a user or an automated process, has been successfully restored and is now available for use again.
  • The event provides visibility into the management of roles within the GCP IAM system, allowing administrators to track and audit changes made to roles, including their deletion and subsequent restoration.

Examples

  1. Unauthorized role restoration: If security is impacted with google.iam.admin.v1.UndeleteRole in GCP for GCPIAM, it could potentially allow unauthorized users to restore deleted roles. This could lead to the reinstatement of privileged access for individuals who should no longer have it, increasing the risk of unauthorized actions and potential data breaches.

  2. Role escalation: The use of google.iam.admin.v1.UndeleteRole in GCP for GCPIAM could also result in role escalation. An attacker with limited permissions could potentially restore a deleted role with higher privileges, granting them access to sensitive resources and data that they should not have had in the first place.

  3. Compliance violations: If security is impacted with google.iam.admin.v1.UndeleteRole in GCP for GCPIAM, it could lead to compliance violations. Deleted roles are often removed for a reason, such as to comply with security policies or regulatory requirements. By allowing the restoration of deleted roles, organizations may inadvertently violate compliance standards and face potential penalties or legal consequences.

Remediation

Using Console

  1. Example 1: Ensure that all users have multi-factor authentication (MFA) enabled for their GCP accounts.

    • Step 1: Log in to the GCP Console using your administrator account.
    • Step 2: Navigate to the IAM & Admin page by clicking on the “IAM & Admin” option in the left-hand menu.
    • Step 3: In the IAM & Admin page, click on the “IAM” tab.
    • Step 4: Select the user for whom you want to enable MFA.
    • Step 5: Click on the “Edit” button next to the user’s name.
    • Step 6: In the “Edit permissions” dialog, scroll down to the “Two-step verification” section.
    • Step 7: Click on the “Enable” button next to “Two-step verification”.
    • Step 8: Follow the on-screen instructions to set up MFA for the user.

  2. Example 2: Ensure that all GCP service accounts are regularly rotated.

    • Step 1: Log in to the GCP Console using your administrator account.
    • Step 2: Navigate to the IAM & Admin page by clicking on the “IAM & Admin” option in the left-hand menu.
    • Step 3: In the IAM & Admin page, click on the “Service accounts” tab.
    • Step 4: Select the service account for which you want to rotate the keys.
    • Step 5: Click on the “Keys” tab.
    • Step 6: Click on the “Add key” button and select the type of key you want to add (e.g., JSON or P12).
    • Step 7: Follow the on-screen instructions to generate and download the new key.
    • Step 8: Once the new key is downloaded, delete the old key from the list of keys.

  3. Example 3: Ensure that GCP Cloud Storage buckets are not publicly accessible.

    • Step 1: Log in to the GCP Console using your administrator account.
    • Step 2: Navigate to the Cloud Storage page by clicking on the “Storage” option in the left-hand menu.
    • Step 3: In the Cloud Storage page, select the bucket for which you want to change the access permissions.
    • Step 4: Click on the “Permissions” tab.
    • Step 5: In the “Permissions” tab, review the list of users and groups with access to the bucket.
    • Step 6: Remove any entries that have the “allUsers” or “allAuthenticatedUsers” as members.
    • Step 7: Click on the “Add members” button to grant access to specific users or groups, if necessary.
    • Step 8: Save the changes to update the access permissions for the bucket.

Using CLI

To remediate the issues related to GCP GCPIAM using GCP CLI, you can follow these steps:

  1. Enable multi-factor authentication (MFA) for IAM users:

    • Use the gcloud command to enable MFA for a specific user: 
      gcloud auth login
gcloud auth application-default login
    • Follow the prompts to complete the MFA setup.

  2. Implement least privilege access:

    • Use the gcloud command to create a custom IAM role with the necessary permissions: 
      gcloud iam roles create <role_name> --project=<project_id> --title="<role_title>" --description="<role_description>" --permissions=<comma_separated_permissions>
    • Assign the custom IAM role to the appropriate users or service accounts: 
      gcloud projects add-iam-policy-binding <project_id> --member=<member> --role=<role_name>

  3. Regularly review and rotate service account keys:

    • Use the gcloud command to list all service accounts in a project: 
      gcloud iam service-accounts list --project=<project_id>
    • Use the gcloud command to create a new key for a service account: 
      gcloud iam service-accounts keys create <output_file> --iam-account=<service_account_email> --project=<project_id>
    • Remove the old keys from the service account: 
      gcloud iam service-accounts keys delete <key_id> --iam-account=<service_account_email> --project=<project_id>

Please note that the actual commands may vary depending on your specific requirements and configurations. Make sure to replace the placeholders (<role_name>, <project_id>, <member>, <output_file>, <service_account_email>, <key_id>) with the appropriate values.

Using Python

To remediate GCP GCPIAM issues using Python, you can utilize the Google Cloud Identity and Access Management (IAM) API. Here are three examples of how you can use Python to address common GCPIAM issues:

  1. Granting IAM Roles to a User:

    • Use the google-cloud-iam library to authenticate and create a client object.
    • Use the set_iam_policy method to retrieve the existing IAM policy for a resource.
    • Modify the policy by adding the necessary IAM roles to the user.
    • Use the set_iam_policy method again to update the IAM policy with the modified policy.
    from google.cloud import iam

def grant_iam_roles(project_id, resource, user_email, roles):
    client = iam.IAMClient()
    policy = client.get_iam_policy(request={"resource": resource})
    for role in roles:
        policy.bindings.add(role=role, members=[f"user:{user_email}"])
    client.set_iam_policy(request={"resource": resource, "policy": policy})

  2. Revoking IAM Roles from a User:

    • Use the google-cloud-iam library to authenticate and create a client object.
    • Use the set_iam_policy method to retrieve the existing IAM policy for a resource.
    • Modify the policy by removing the specified IAM roles from the user.
    • Use the set_iam_policy method again to update the IAM policy with the modified policy.
    from google.cloud import iam

def revoke_iam_roles(project_id, resource, user_email, roles):
    client = iam.IAMClient()
    policy = client.get_iam_policy(request={"resource": resource})
    for role in roles:
        binding = next((b for b in policy.bindings if b.role == role), None)
        if binding:
            binding.members.remove(f"user:{user_email}")
    client.set_iam_policy(request={"resource": resource, "policy": policy})

  3. Checking IAM Permissions for a User:

    • Use the google-cloud-iam library to authenticate and create a client object.
    • Use the test_iam_permissions method to check if the user has the required permissions for a resource.
    from google.cloud import iam

def check_iam_permissions(project_id, resource, user_email, permissions):
    client = iam.IAMClient()
    response = client.test_iam_permissions(
        request={"resource": resource, "permissions": permissions}
    )
    return all(p in response.permissions for p in permissions)

Please note that you need to install the google-cloud-iam library using pip install google-cloud-iam before running these scripts.