During the year 2023, I was a Cloud Security lecturer at FIAP. Long story short, It was an amazing experience. However, when we got to the more “red-team” parts of the course, I had trouble finding educational resources. I wanted a pentesting lab that would allow my students to exploit real-world misconfigurations, without the usual…
Category: GCP
GCP – Extract all granted IAM permissions for all users
Introduction The following bash script is pretty simple. It generates a CSV that lists, for each user, all the roles given to them and in which resources. It’s great for doing IAM reviews. Note: if, for example, a user has access to a project, this scripts only lists the role granted at the project level….
GCP – SSH into VMs without Public IP’s via IAP Tunneling (A better tutorial)
Table of Contents Activating IAP with OSLogin (best option) Activating IAP for Project Owners Activating IAP for Admins Activating IAP without OSLogin Introduction IAP Tunneling is extremely useful for acessing resources that don’t have public IPs.In fact, it’s much safer and easier than assigning public IPs and configuring Firewall rules, or setting up VPNs inside…
GCP – SSH into VMs as Service Account when OSLogin is enabled
OSLogin requires every SSH key to be tied to a user. For normal / human users the process is straight-forward and there is a lot of documentation about it. For Service Accounts, things get a little weirder… This tutorial will show you how to create an SSH key that is tied to a Service Accout…
Google Workspace / Gsuite – Use Authenticator/TOTP as 2FA without needing to register SMS or Physical Token
Introduction For some reason, users are forced to activate at least one 2FA method (SMS, token or cellphone alerts) before being allowed to activate TOTP (via Authenticator). SMS is an insecure method of 2FA, because telephone companies are usually susceptible to social engineering attacks that can transfer your number to an unauthorized user. If you…
GCP – Useful GCLOUD commands for IAM auditing
Update 2023/09/13: GCP has updated how some of the filters work. Some of these commands may not work anymore. Here are a few helpful gcloud commands to see important IAM information! Run these in your cloud shell or from your own machine using Cloud SDK Just switch <id> with your organization’s id and <[email protected]> with…
Google Workspace – useful GAM commands for calendar privacy
I just had a problem where Google Calendar’s default privacy setting was changed to “freeBusy” but didn’t replicate to all users. Looking into it, the privacy change is only applied if the user hasn’t changed their calendar’s default settings. It’s not clear what settings influence this. Anyway, we needed to use GAM to fix the…
GSUITE / Google Workspace – How to transform a user account into a group and keep all e-mails
Edit (15/02): Thanks to hjkimbrian for warning that there is no way to backup emails from a group. Do you have user accounts in your org that are “shared” between your employees?If you do, that’s a big no no. Account sharing is a horrible practice and is basically a ticking clock to some security incident…
GCP – How to automatically export backups (MySQL and instances) to other places (AWS, Offline, etc…)
GCP has a pretty good backup system which is really easy to configure. For instances, you can schedule automatic snapshots and also convert theses snapshots to images whenever you want.For MySQL databases (not sure about the other types) you can schedule backups which are stored in a neat “full backup + incremental backups” to save…
How to create an alert in GCP for a specific event (ex: Modifying a firewall rule)
Say you want to be notified everytime a specific event occurs in your GCP project or organization such as an admin being added, a bucket being created, a firewall rule being modified, etc… How should you do it? After some trial and error, i have found that the method below gives the best results. Some…