Minimal Role / Permissions for Target
Contents
Minimal Role / Permissions for Target#
Assumption
Service account had been created and granted the necessary Viewer roles (Organization Viewer, Folder Viewer, Viewer, Private Logs Viewer)
An Incident Response team is likely to encounter resistance from engineering / business teams when requesting non-read permissions to target (potential compromised) GCP Organisation and Projects due to potential production impact.
Hence, to reduce such concerns while still enabling effective incident response, a set of minimal non-read permissions is provided here.
Warning
Provided minimal permissions are not meant to be a complete set of permissions necessary to perform any incident response investigation on GCP, for e.g. Cloud SQL investigations were not catered for. However, they should be sufficient for > 90% of incidents.
Grant Permissions Guide#
The Organisation / Project owner is expected to use gcloud cli and this yml file that contains the minimum permissions to perform the following steps.
To grant the permissions org-wide:
# create a custom role with the required permissions
# when prompted to confirm the creation, input Y (Yes)
gcloud iam roles create <role_id> --organization=<org_id> --file=min_perm_list_target.yml
# grant roles to the service account
# when prompted to specify a condition, select None
gcloud organizations add-iam-policy-binding <organization_id> \
--member=serviceAccount:<svc_acct> \
--role=organizations/<org_id>/roles/<role_id>
To grant permissions for a specific project:
# create a custom role with the required permissions
# when prompted to confirm the creation, input Y (Yes)
gcloud iam roles create <role_id> --project=<project_id> --file=min_perm_list_target.yml
# grant roles to the service account
# when prompted to specify a condition, select None
gcloud projects add-iam-policy-binding <project_id> \
--member=serviceAccount:<svc_acct> \
--role=projects/<project_id>/roles/<role_id>
Permissions Usage#
Permissions |
Used in |
Required for |
|---|---|---|
compute.disks |
||
|
|
Create disk from snapshot |
|
|
Create snapshot from disk |
compute.firewalls |
||
|
|
Create firewall rules |
|
|
Delete firewall rules |
|
|
Enable firewall rule logs |
compute.instances |
||
|
|
Delete compute instances |
|
|
Remove external IP address of compute instance |
|
|
Resume compute instances |
|
|
Delete instance-specific SSH keys |
|
|
Add network tag to compute instance |
|
|
Suspend compute instances |
compute.networks |
||
|
|
Create VPC network peering for packet capture |
|
|
Create, update and delete firewall rules |
compute.subnetworks |
||
|
|
Enable/Disable VPC flow logs |
compute.projects |
||
|
|
Delete project-wide SSH key |
compute.snapshots |
||
|
|
Create snapshot from disk |
|
|
Delete snapshot |
iam.roles |
||
|
|
Delete IAM custom role |
|
|
Disable IAM custom role |
iam.serviceAccounts |
||
|
|
Delete project-wide/instance-specific SSH key |
|
|
Delete IAM service account |
|
|
Disable IAM service account |
|
|
Remove service account IAM policy binding |
iam.serviceAccountKeys |
||
|
|
Delete IAM service account key |
logging.sinks |
||
|
|
Delete logging sinks |
|
|
Update logging sinks |
resourcemanager.projects |
||
|
|
Delete user account from project |
storage.buckets |
||
|
|
Create bucket for log storage |
|
|
List bucket (object) ACLs |
|
|
List bucket ACLs |
|
|
Set bucket ACLs |
|
|
Set bucket ACLs |
storage.objects |
||
|
|
Delete bucket object |
|
|
List bucket object ACLs |
|
|
List bucket object ACLs |
|
|
List bucket objects |
|
|
Set bucket object ACLs |
|
|
Set bucket object ACLs |
container |
||
|
|
Apply k8s network policy |
|
|
Cordon compromised nodes |
|
|
Drain pods from nodes |
|
|
Execute commands from pods |
|
|
Label compromised pods for isolation |
|
|
Delete k8s load balancer service |
|
|
Update k8s service |