- Principals: Users, Groups, Domains or the Public as a whole
- IAM Roles: Permissions for cloud actions
- Resources: Any cloud resource with a resource identifier
This structure mirrors how JupiterOne models Microsoft Azure role-based access control (RBAC), as described in our previous article, Azure Access Review using Optional Traversals in JupiterOne. The following scenario demonstrates how to generate the primary J1QL query to secure a Google Cloud Storage bucket.
Scenario: Query IAM Role Bindings
You have the answer to life, the universe, and everything...
… and you want to keep it safe in a super-secret storage bucket in Google Cloud. In order to make sure no one else can manipulate it, you decide to do an access analysis of your storage bucket. The first thing to check is to see if there are any nefarious individuals that have admin access to your bucket.
Using JupiterOne Query Language (J1QL), you can query for the IAM Role Bindings that are attached to this bucket which allow the permission storage.admin .
Well, that’s not good! Not only does this shady mknoedel individual have admin access to your super-secret storage bucket, so does everyone else! These bindings need to be removed.
Job well done! Your secret is now safe… or is it? Google Cloud uses a Resource Hierarchy, which allows users to attach role bindings at different organizational levels, with each level being a potential vector for granting access to your bucket.
You’ll need to check those bindings as well, just to be safe. Using J1QL, you can query for the IAM Role Bindings that are attached anywhere on the organization hierarchy which allow the permission storage.admin .
Don’t know what the `(...)?` syntax means? Check it out here!
Good thing we checked! This unknown user mknoedel is granted admin access to our bucket at all levels of the organization hierarchy. Let’s remove these bindings.
Cloud Storage supports “Convenience Members”, which are a special set of principles that can be applied specifically to IAM bucket policies. A convenience member acts as a bridge between the principals granted a basic role and an IAM Role. The IAM Role granted to the convenience value is, in effect, also granted to all principals of the specified basic role for the specified project ID.
Using J1QL, we can find all the bindings that have Convenience Members that escalate the permissions of basic roles to storage.admin for our bucket.
Gotcha! Anyone who has a Google account with a domain of “mknoedel.com” has admin access to our super-secret bucket. You’ll need to remove this binding as well.
Pulling it All Together: Access Analysis with J1QL
You can do the entire access analysis with the J1QL query: Who has storage.admin on the j1-gc-integration-dev-v3-super-secret-stuff key vault?
With J1QL you gain a deep insight into who has access to your Google Storage buckets. Going even further, you can use the sort of analysis examined above to easily evaluate how your infrastructure lines up with Google Cloud’s IAM Best Practices:
- Use the principle of least privilege when granting access.
Am I using the principle of least privilege when granting access to my buckets?
Use the above query to search for storage.admin over all buckets. When found, reduce the scope to something less aggressive like storage.objectReader.
- Avoid granting roles with setIamPolicy permission to people you do not know.
Does anyone with an email not in the domain jupiterone.com have setIamPolicy permission to my buckets?
- Be careful how you grant permissions to anonymous users.
Have I assigned any of my storage buckets to Everyone?