[#880] Need to identify Service Accounts

system · May 4, 2022, 7:58pm

Migrated from Redmine #880 | Author: Tim Nakhisa
Status: New | Priority: Normal | Created: 2022-05-04

Hi,

We need to identify if SimplyBook.me uses default Compute Engine service account. This is because, this particular service account has editor role in the project which has overly permissive permissions. If the service account is compromised, they can have access to just about anything in the project, which would be extremely catastrophic in terms of data loss, etc.

This is also highlighted in Google’s documentation - Service accounts overview | Identity and Access Management (IAM) | Google Cloud Documentation and our CSPM tool, CloudGuard by CheckPoint. CloudGuard GSL KB

While we are aware that some of the information may not be disclosed, please understand we’re asking if there are service accounts are being used, and what their permissions are. This way we can plan on how we will go about our deployment,etc.

For more reference, we’re working with Irene (irina@notando.is) and Alan (a.riedford@f5.com) on these efforts.

Regards,

-Tim

system · May 5, 2022, 7:23am

Redmine Admin wrote:

hi, the risk default service account is compromised is same as any other service account linked to VM is compromised in our setup. There are no access keys enabled for default service account and the only way to use it is via OAuth. OAuth means attacker need to be able to login to gcloud web interface which is not possible without password and 2fa.

system · May 6, 2022, 4:04pm

Tim Nakhisa wrote:

Understood. Our concern is that the default service account still has overly pervasive permissions. We see this in our environment before.

Our ask is… can the default Compute Engine service account be modified and have limited permissions? Is this something within our control?

See screenshot attached.

system · May 6, 2022, 4:07pm

Tim Nakhisa wrote:

!!

(Short original content)

system · May 6, 2022, 4:10pm

Tim Nakhisa wrote:

is there a way to attach a screenshot? seems not to be working.

But the screenshot shows the permissions are over 4000 different kinds, hence why we are overly cautious about this.

system · May 6, 2022, 5:37pm

Redmine Admin wrote:

hi, we understood your concerns. Default service account we use is modified to have viewer permissions only for logging and monitoring purposes. We found no way it can assess VM or data on VM from compromised VM. Default service accounts we use has no access keys.

system · June 28, 2022, 6:11pm

Tim Nakhisa wrote:

thank you.

FYI… this is how you can retrieve the instance creds:

curl -s -H “Metadata-Flavor: Google” http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/scopes

fetch a service token
curl -s -H “Metadata-Flavor: Google” http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token | jq

but since the permissions are viewer only, we should be good.

Thank you.