Event Information

  • The google.iam.admin.v1.UploadServiceAccountKey event in GCP for GCPIAM refers to the action of uploading a new service account key.
  • This event indicates that a user or service account has uploaded a new key for a service account in the Google Cloud Identity and Access Management (IAM) service.
  • The event provides visibility into changes made to service account keys, which are used for authentication and authorization in GCP services.

Examples

  1. Unauthorized access: If security is impacted with google.iam.admin.v1.UploadServiceAccountKey in GCP for GCPIAM, it could potentially lead to unauthorized access to service account keys. This means that an attacker could gain access to sensitive resources and perform malicious actions on behalf of the compromised service account.

  2. Data breaches: Uploading service account keys without proper security measures can increase the risk of data breaches. If an unauthorized user obtains access to a service account key, they may be able to access and exfiltrate sensitive data stored in GCP resources, such as databases or storage buckets.

  3. Privilege escalation: Uploading service account keys without proper authorization controls can lead to privilege escalation attacks. An attacker who gains access to a service account key may be able to elevate their privileges within the GCP environment, granting them unauthorized access to additional resources and potentially compromising the entire infrastructure.

Remediation

Using Console

  1. Example 1: Ensure that all users have multi-factor authentication (MFA) enabled for their GCP accounts.
  • Step 1: Log in to the GCP Console using your GCP account credentials.
  • Step 2: Navigate to the IAM & Admin section in the GCP Console.
  • Step 3: Select the “IAM” tab to view the list of IAM users.
  • Step 4: Identify the users who do not have MFA enabled.
  • Step 5: For each user without MFA, click on the user’s name to access their details.
  • Step 6: In the user’s details page, click on the “Edit” button next to the “Two-step verification” section.
  • Step 7: Follow the prompts to enable MFA for the user, which may involve setting up a mobile app or receiving SMS codes.
  • Step 8: Repeat steps 5-7 for all users without MFA enabled.
  1. Example 2: Ensure that all GCP service accounts are not granted any sensitive roles.
  • Step 1: Log in to the GCP Console using your GCP account credentials.
  • Step 2: Navigate to the IAM & Admin section in the GCP Console.
  • Step 3: Select the “Service accounts” tab to view the list of service accounts.
  • Step 4: Identify the service accounts that have sensitive roles assigned.
  • Step 5: For each service account with sensitive roles, click on the service account’s name to access its details.
  • Step 6: In the service account’s details page, click on the “Permissions” tab.
  • Step 7: Review the assigned roles and identify any sensitive roles that need to be removed.
  • Step 8: Click on the “Edit” button next to the role that needs to be removed and uncheck the box next to the sensitive role.
  • Step 9: Repeat steps 5-8 for all service accounts with sensitive roles assigned.
  1. Example 3: Ensure that all GCP resources are tagged with appropriate labels.
  • Step 1: Log in to the GCP Console using your GCP account credentials.
  • Step 2: Navigate to the specific GCP resource that needs to be tagged (e.g., Compute Engine instance, Cloud Storage bucket).
  • Step 3: Access the details page of the resource.
  • Step 4: Look for the “Labels” section in the resource details page.
  • Step 5: Click on the “Edit” button next to the “Labels” section.
  • Step 6: Add the appropriate labels to the resource, ensuring that they align with your organization’s tagging policy.
  • Step 7: Save the changes.
  • Step 8: Repeat steps 2-7 for all GCP resources that need to be tagged.

Using CLI

To remediate the issues related to GCP GCPIAM using GCP CLI, you can follow these steps:

  1. Enable multi-factor authentication (MFA) for IAM users:

    • Use the gcloud command to enable MFA for a specific user: 
      gcloud auth login
gcloud auth application-default login
    • Follow the prompts to complete the MFA setup.

  2. Implement least privilege access control:

    • Use the gcloud command to create a custom IAM role with the necessary permissions: 
      gcloud iam roles create <role_name> --project=<project_id> --title="<role_title>" --description="<role_description>" --permissions=<comma_separated_permissions>
    • Assign the custom IAM role to the appropriate users or service accounts: 
      gcloud projects add-iam-policy-binding <project_id> --member=<member> --role=<role_name>

  3. Regularly review and rotate access keys:

    • Use the gcloud command to list all the service accounts in a project: 
      gcloud iam service-accounts list --project=<project_id>
    • For each service account, use the gcloud command to create a new key and delete the old key: 
      gcloud iam service-accounts keys create <new_key_file> --iam-account=<service_account_email> --project=<project_id>
gcloud iam service-accounts keys delete <old_key_file> --iam-account=<service_account_email> --project=<project_id>

Please note that the actual commands may vary depending on your specific requirements and configurations. Make sure to replace the placeholders (<role_name>, <project_id>, <member>, <new_key_file>, <old_key_file>, etc.) with the appropriate values.

Using Python

To remediate GCP GCPIAM issues using Python, you can utilize the Google Cloud Identity and Access Management (GCPIAM) API. Here are three examples of how you can use Python to address these issues:

  1. Granting IAM Roles:

    • Use the google-cloud-iam library to create a service account and grant it the necessary IAM roles.
    • Example Python script: 
      from google.cloud import iam

client = iam.IAMClient()
policy = client.get_policy(request={"resource": "projects/PROJECT_ID"})
policy.bindings.add(role="roles/ROLE_NAME", members=["user:USER_EMAIL"])
client.set_policy(request={"resource": "projects/PROJECT_ID", "policy": policy})

  2. Enforcing IAM Policies:

    • Use the google-cloud-asset library to retrieve the current IAM policies and enforce the desired policies.
    • Example Python script: 
      from google.cloud import asset

client = asset.AssetServiceClient()
response = client.export_assets(request={"parent": "projects/PROJECT_ID", "output_config": {"gcs_destination": {"uri": "gs://BUCKET_NAME/exported_assets"}}})

  3. Monitoring IAM Changes:

    • Use the google-cloud-logging library to set up a log sink and receive notifications for IAM changes.
    • Example Python script: 
      from google.cloud import logging_v2

client = logging_v2.LoggingServiceV2Client()
response = client.create_sink(request={"parent": "projects/PROJECT_ID", "sink": {"name": "SINK_NAME", "destination": "pubsub.googleapis.com/projects/PROJECT_ID/topics/TOPIC_NAME"}})

Please note that you need to replace PROJECT_ID, ROLE_NAME, USER_EMAIL, BUCKET_NAME, SINK_NAME, and TOPIC_NAME with the appropriate values specific to your GCP environment.