Insights

Table of contents

• IAM Policy Insights
• Asset Insights
• Lateral Movement Insights
• Service Account Insights
• Firewall Insights

IAM Policy Insights

This sheet lists the active IAM Policy Insights by querying the IAM Policy Insights from the organization and all projects and folders in the organization. These insights are more detailed than the IAM recommendations.

Below are several IAM Policy Insight gcloud commands used to generate a similar output to this sheet for each level (ie. organization, folders, projects) in GCP resource hierarchy.

Organization:

gcloud recommender insights list --organization=$ORGANIZATION_ID --billing-project=$OPERATING_PROJECT \
  --insight-type=google.iam.policy.Insight \
  --filter="stateInfo.state=ACTIVE" --location=global

Folders:

gcloud beta asset list --organization=$ORGANIZATION_ID --content-type='resource' \
  --asset-types='cloudresourcemanager.googleapis.com/Folder' \
  --format="value(resource.data.name.segment(1))" | xargs -t -I {} \
    gcloud recommender insights list --folder={} --billing-project=$OPERATING_PROJECT \
      --insight-type=google.iam.policy.Insight \
      --filter="stateInfo.state=ACTIVE" --location=global

Projects:

gcloud projects list --format="value(projectId)" | xargs -t -I {} \
  gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
    --insight-type=google.iam.policy.Insight \
    --filter="stateInfo.state=ACTIVE" --location=global

Asset Insights

This sheet lists the active Asset Insights from all projects in the organization. There are several insight subtypes with this insight, please take a look at their descriptions as they provide incredibly useful information on IAM members external to your organizations (eg. an @gmail.com user address with EXTERNAL_MEMBER) with access to your resources, as well as IAM policies with deactivated users (ie. TERMINATED_MEMBER), or the allUsers and allAuthenticatedUsers principles.

The iam.allowedPolicyMemberDomains organization policy can be used to reduce many of these insight subtypes by restricting IAM policies with members external to the organization including the allUsers and allAuthenticatedUsers principles (ie. PUBLIC_IAM_POLICY).

Along with this organization policy it is highly recommended to enable limiting third-party OAuth app access to your Google Cloud APIs through the Google Workspace Admin console for your organization to prevent third-party OAuth apps from using your Google Cloud administrator privileges unrestricted.

Below is an Asset Insight gcloud command used to generate a similar output to this sheet.

gcloud projects list --format="value(projectId)" | xargs -t -I {} \
  gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
    --insight-type=google.cloudasset.asset.Insight \
    --filter="stateInfo.state=ACTIVE" --location=global

Lateral Movement Insights

This sheet lists the active Lateral Movement Insights from all projects in the organization. These insights are useful for finding chains of actAs permissions allowing for cross-project impersonation of service accounts. For more details on exploiting lateral movement in GCP, see Allison Donovan (@matter_of_cat) and Dylan Ayrey (@InsecureNature)’s Blackhat talk Lateral Movement & Privilege Escalation in GCP; Compromise Organizations without Dropping an Implant.

The iam.disableCrossProjectServiceAccountUsage orgnaization policy can be used to restrict lateral movement by restricting cross project service account IAM bindings.

Below is an Lateral Movement Insight gcloud command used to generate a similar output to this sheet.

gcloud projects list --format="value(projectId)" | xargs -t -I {} \
  gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
    --insight-type=google.iam.policy.LateralMovementInsight \
    --filter="stateInfo.state=ACTIVE" --location=global

Service Account Insights

This sheet lists the active Service Account Insights from all projects in the organization. These insights are useful for finding service accounts to safely disable or delete based on historical usage.

Below is an Service Account Insight gcloud command used to generate a similar output to this sheet.

gcloud projects list --format="value(projectId)" | xargs -t -I {} \
  gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
    --insight-type=google.iam.serviceAccount.Insight \
    --filter="stateInfo.state=ACTIVE" --location=global

Firewall Insights

This sheet lists the active Firewall Insights when enabled from all projects in the organization. Firewall Insights are not enabled by default as they have a unique pricing and are not free. Follow the prerequisites for enabling Firewall Insights, by enabling the Firewall Insights API, Firewall Rule Logging on individual firewall rules, enabling the chosen insight type, and configuring an observation period. These insights are useful for removing redundant firewall rules (ie. shadowed rules), removing unused firewall rules (ie. allow rules with no hits), and reducing the protocols and ports of firewall rules based on historical usage (eg. rules with unused attributes and overly permissive IP address or port ranges).

Below is an Firewall Insight gcloud command used to generate a similar output to this sheet.

gcloud projects list --format="value(projectId)" | xargs -t -I {} \
  gcloud recommender insights list --project={} --billing-project=$OPERATING_PROJECT \
    --insight-type=google.compute.firewall.Insight \
    --filter="stateInfo.state=ACTIVE" --location=global