Event Information

  • The resourcemanager.folders.setIamPolicy event in GCP for GCPIAM refers to a change in the IAM (Identity and Access Management) policy for a folder in Google Cloud Platform (GCP).
  • This event indicates that the IAM policy for a specific folder has been modified, including changes to the permissions and roles assigned to users, groups, or service accounts within that folder.
  • It is important to monitor this event as it can help track and audit changes to the access control settings for folders, ensuring that the appropriate level of permissions is maintained and any unauthorized changes are detected.

Examples

  1. Unauthorized access: If the resourcemanager.folders.setIamPolicy operation is misconfigured or misused, it can potentially grant unauthorized access to sensitive resources within the GCP environment. This can lead to data breaches, unauthorized modifications, or unauthorized access to critical systems.

  2. Privilege escalation: If the resourcemanager.folders.setIamPolicy operation is used to grant excessive permissions or roles to a user or service account, it can result in privilege escalation. This means that an attacker or malicious user could gain higher levels of access than intended, potentially compromising the security of the entire GCP environment.

  3. Misconfiguration of access controls: If the resourcemanager.folders.setIamPolicy operation is not properly configured, it can lead to misconfigured access controls. This can result in unintended access to resources, allowing unauthorized users to view, modify, or delete critical data or infrastructure components. It is important to ensure that access controls are properly defined and regularly audited to mitigate this risk.

Remediation

Using Console

  1. Example 1: Ensure that all users have a strong password policy in GCP IAM.
  • Step 1: Log in to the GCP Console.
  • Step 2: Navigate to the IAM & Admin section.
  • Step 3: Click on “IAM” to view the list of users.
  • Step 4: Select the user for whom you want to enforce a strong password policy.
  • Step 5: Click on the “Edit” button next to the user’s name.
  • Step 6: Scroll down to the “Password” section and enable the option for a strong password policy.
  • Step 7: Define the password requirements, such as minimum length, complexity, and expiration.
  • Step 8: Save the changes.
  1. Example 2: Ensure that multi-factor authentication (MFA) is enabled for all users in GCP IAM.
  • Step 1: Log in to the GCP Console.
  • Step 2: Navigate to the IAM & Admin section.
  • Step 3: Click on “IAM” to view the list of users.
  • Step 4: Select the user for whom you want to enable MFA.
  • Step 5: Click on the “Edit” button next to the user’s name.
  • Step 6: Scroll down to the “Multi-factor authentication” section and enable the option for MFA.
  • Step 7: Choose the desired MFA method, such as SMS, Google Authenticator, or Security Key.
  • Step 8: Follow the on-screen instructions to complete the MFA setup.
  1. Example 3: Ensure that unused service accounts are disabled or deleted in GCP IAM.
  • Step 1: Log in to the GCP Console.
  • Step 2: Navigate to the IAM & Admin section.
  • Step 3: Click on “Service accounts” to view the list of service accounts.
  • Step 4: Identify the service accounts that are no longer needed or in use.
  • Step 5: Select the service account that you want to disable or delete.
  • Step 6: Click on the “Disable” or “Delete” button, depending on your requirement.
  • Step 7: Confirm the action when prompted.
  • Step 8: Repeat steps 5-7 for all unused service accounts that need to be disabled or deleted.

Using CLI

To remediate the issues related to GCP GCPIAM using GCP CLI, you can follow these steps:

  1. Enable multi-factor authentication (MFA) for IAM users:

    • Use the gcloud command to enable MFA for a specific user: 
      gcloud auth login
gcloud auth application-default login
    • Follow the prompts to complete the MFA setup.

  2. Implement least privilege access control:

    • Use the gcloud command to create a custom IAM role with the necessary permissions: 
      gcloud iam roles create <role_name> --project=<project_id> --title="<role_title>" --description="<role_description>" --permissions=<comma_separated_permissions>
    • Assign the custom IAM role to the appropriate users or service accounts: 
      gcloud projects add-iam-policy-binding <project_id> --member=<member> --role=<role_name>

  3. Regularly review and rotate access keys:

    • Use the gcloud command to list all the service accounts in a project: 
      gcloud iam service-accounts list --project=<project_id>
    • For each service account, use the gcloud command to create a new key and delete the old key: 
      gcloud iam service-accounts keys create <new_key_file> --iam-account=<service_account_email> --project=<project_id>
gcloud iam service-accounts keys delete <old_key_file> --iam-account=<service_account_email> --project=<project_id>

Please note that the actual commands may vary depending on your specific requirements and configurations. Make sure to replace the placeholders (<role_name>, <project_id>, <member>, <new_key_file>, <old_key_file>, etc.) with the appropriate values.

Using Python

To remediate GCP GCPIAM issues using Python, you can utilize the Google Cloud Identity and Access Management (GCPIAM) API. Here are three examples of how you can use Python to address these issues:

  1. Granting IAM Roles:

    • Use the google-cloud-iam library to create a service account and grant it the necessary IAM roles.
    • Example Python script: 
      from google.cloud import iam

client = iam.IAMClient()
policy = client.get_policy(request={"resource": "projects/PROJECT_ID"})
policy.bindings.add(role="roles/ROLE_NAME", members=["user:USER_EMAIL"])
client.set_policy(request={"resource": "projects/PROJECT_ID", "policy": policy})

  2. Enforcing IAM Policies:

    • Use the google-cloud-asset library to retrieve the current IAM policies and enforce the desired policies.
    • Example Python script: 
      from google.cloud import asset

client = asset.AssetServiceClient()
response = client.export_assets(request={"parent": "projects/PROJECT_ID", "output_config": {"gcs_destination": {"uri": "gs://BUCKET_NAME/exported_assets"}}})

  3. Monitoring IAM Changes:

    • Use the google-cloud-logging library to set up a log sink and receive notifications for IAM changes.
    • Example Python script: 
      from google.cloud import logging_v2

client = logging_v2.LoggingServiceV2Client()
response = client.create_sink(request={"parent": "projects/PROJECT_ID", "sink": {"name": "SINK_NAME", "destination": "pubsub.googleapis.com/projects/PROJECT_ID/topics/TOPIC_NAME"}})

Please note that you need to replace PROJECT_ID, ROLE_NAME, USER_EMAIL, BUCKET_NAME, SINK_NAME, and TOPIC_NAME with the appropriate values specific to your GCP environment.