gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-04 19:11:41 -08:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

Browse Source
This commit is contained in:
Translator
2024-12-31 19:03:28 +00:00
parent 7770a50092
commit 44da2ea78f
244 changed files with 7940 additions and 10781 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
src/pentesting-cloud/gcp-security/gcp-basic-information/README.md
View File

@@ -1,199 +1,191 @@
# GCP - Basic Information
# GCP - Taarifa za Msingi
{{#include ../../../banners/hacktricks-training.md}}
## **Resource hierarchy**
## **Hifadhi ya Rasilimali**
Google Cloud uses a [Resource hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) that is similar, conceptually, to that of a traditional filesystem. This provides a logical parent/child workflow with specific attachment points for policies and permissions.
At a high level, it looks like this:
Google Cloud inatumia [Hifadhi ya Rasilimali](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy) ambayo ni sawa, kimsingi, na ile ya mfumo wa faili wa jadi. Hii inatoa mtiririko wa kazi wa kimantiki wa mzazi/kijakazi pamoja na maeneo maalum ya kiambatisho kwa sera na ruhusa.
Kwa kiwango cha juu, inaonekana hivi:
```
Organization
--> Folders
--> Projects
--> Resources
--> Projects
--> Resources
```
A virtual machine (called a Compute Instance) is a resource. A resource resides in a project, probably alongside other Compute Instances, storage buckets, etc.
<figure><img src="../../../images/image (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption><p><a href="https://cloud.google.com/static/resource-manager/img/cloud-hierarchy.svg">https://cloud.google.com/static/resource-manager/img/cloud-hierarchy.svg</a></p></figcaption></figure>
## **Projects Migration**
## **Miradi ya Mabadiliko**
It's possible to **migrate a project without any organization** to an organization with the permissions `roles/resourcemanager.projectCreator` and `roles/resourcemanager.projectMover`. If the project is inside other organization, it's needed to contact GCP support to **move them out of the organization first**. For more info check [**this**](https://medium.com/google-cloud/migrating-a-project-from-one-organization-to-another-gcp-4b37a86dd9e6).
Ni uwezekano wa **kuhamasisha mradi bila shirika lolote** kwenda shirika lenye ruhusa `roles/resourcemanager.projectCreator` na `roles/resourcemanager.projectMover`. Ikiwa mradi uko ndani ya shirika lingine, inahitajika kuwasiliana na msaada wa GCP ili **kuhamasisha kutoka shirika kwanza**. Kwa maelezo zaidi angalia [**hii**](https://medium.com/google-cloud/migrating-a-project-from-one-organization-to-another-gcp-4b37a86dd9e6).
## **Organization Policies**
## **Sera za Shirika**
Allow to centralize control over your organization's cloud resources:
Ruhusu kuimarisha udhibiti juu ya rasilimali za wingu za shirika lako:
- Centralize control to **configure restrictions** on how your organizations resources can be used.
- Define and establish **guardrails** for your development teams to stay within compliance boundaries.
- Help project owners and their teams move quickly without worry of breaking compliance.
- Kuimarisha udhibiti ili **kuweka vizuizi** juu ya jinsi rasilimali za shirika lako zinaweza kutumika.
- Mwelekeo na kuanzisha **mipaka** kwa timu zako za maendeleo ili kubaki ndani ya mipaka ya kufuata.
- Saidia wamiliki wa miradi na timu zao kuhamasisha haraka bila wasiwasi wa kuvunja kufuata.
These policies can be created to **affect the complete organization, folder(s) or project(s)**. Descendants of the targeted resource hierarchy node **inherit the organization policy**.
Sera hizi zinaweza kuundwa ili **kuathiri shirika lote, folda au miradi**. Wana wa node ya hiyerarhya ya rasilimali iliyolengwa **wanarithi sera za shirika**.
In order to **define** an organization policy, **you choose a** [**constraint**](https://cloud.google.com/resource-manager/docs/organization-policy/overview#constraints), which is a particular type of restriction against either a Google Cloud service or a group of Google Cloud services. You **configure that constraint with your desired restrictions**.
Ili **kufafanua** sera ya shirika, **unachagua** [**kizuizi**](https://cloud.google.com/resource-manager/docs/organization-policy/overview#constraints), ambacho ni aina maalum ya vizuizi dhidi ya huduma za Google Cloud au kundi la huduma za Google Cloud. Unapanga **kizuizi hicho kwa vizuizi unavyotaka**.
<figure><img src="../../../images/image (217).png" alt=""><figcaption><p><a href="https://cloud.google.com/resource-manager/img/org-policy-concepts.svg">https://cloud.google.com/resource-manager/img/org-policy-concepts.svg</a></p></figcaption></figure>
#### Common use cases <a href="#common_use_cases" id="common_use_cases"></a>
#### Matumizi ya kawaida <a href="#common_use_cases" id="common_use_cases"></a>
- Limit resource sharing based on domain.
- Limit the usage of Identity and Access Management service accounts.
- Restrict the physical location of newly created resources.
- Disable service account creation
- Punguza ushirikiano wa rasilimali kulingana na kikoa.
- Punguza matumizi ya akaunti za huduma za Usimamizi wa Utambulisho na Ufikiaji.
- Punguza eneo halisi la rasilimali mpya zilizoundwa.
- Zima uundaji wa akaunti za huduma.
<figure><img src="../../../images/image (172).png" alt=""><figcaption></figcaption></figure>
There are many more constraints that give you fine-grained control of your organization's resources. For **more information, see the** [**list of all Organization Policy Service constraints**](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints)**.**
Kuna vizuizi vingi zaidi vinavyokupa udhibiti wa kina wa rasilimali za shirika lako. Kwa **maelezo zaidi, angalia** [**orodha ya vizuizi vyote vya Sera za Sera za Shirika**](https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints)**.**
### **Default Organization Policies**
### **Sera za Shirika za Kawaida**
<details>
<summary>These are the policies that Google will add by default when setting up your GCP organization:</summary>
<summary>Hizi ni sera ambazo Google itaongeza kwa kawaida wakati wa kuanzisha shirika lako la GCP:</summary>
**Access Management Policies**
**Sera za Usimamizi wa Ufikiaji**
- **Domain restricted contacts:** Prevents adding users to Essential Contacts outside your specified domains. This limits Essential Contacts to only allow managed user identities in your selected domains to receive platform notifications.
- **Domain restricted sharing:** Prevents adding users to IAM policies outside your specified domains. This limits IAM policies to only allow managed user identities in your selected domains to access resources inside this organization.
- **Public access prevention:** Prevents Cloud Storage buckets from being exposed to the public. This ensures that a developer can't configure Cloud Storage buckets to have unauthenticated internet access.
- **Uniform bucket level access:** Prevents object-level access control lists (ACLs) in Cloud Storage buckets. This simplifies your access management by applying IAM policies consistently across all objects in Cloud Storage buckets.
- **Require OS login:** VMs created in new projects will have OS Login enabled. This lets you manage SSH access to your instances using IAM without needing to create and manage individual SSH keys.
- **Wasiliana na kikoa kilichozuiliwa:** Inazuia kuongeza watumiaji kwenye Wasiliana Muhimu nje ya maeneo yako yaliyotajwa. Hii inazuia Wasiliana Muhimu kuruhusu tu utambulisho wa watumiaji waliodhibitiwa katika maeneo yako yaliyoteuliwa kupokea arifa za jukwaa.
- **Ushirikiano wa kikoa kilichozuiliwa:** Inazuia kuongeza watumiaji kwenye sera za IAM nje ya maeneo yako yaliyotajwa. Hii inazuia sera za IAM kuruhusu tu utambulisho wa watumiaji waliodhibitiwa katika maeneo yako yaliyoteuliwa kufikia rasilimali ndani ya shirika hili.
- **Kuzuia ufikiaji wa umma:** Inazuia ndoo za Hifadhi ya Wingu kuonyeshwa kwa umma. Hii inahakikisha kwamba mendelevu hawezi kupanga ndoo za Hifadhi ya Wingu kuwa na ufikiaji wa intaneti usio na uthibitisho.
- **Kufikia kiwango cha ndoo kilichosawazishwa:** Inazuia orodha za udhibiti wa ufikiaji wa kiwango cha kitu (ACLs) katika ndoo za Hifadhi ya Wingu. Hii inarahisisha usimamizi wako wa ufikiaji kwa kutumia sera za IAM kwa usawa katika vitu vyote katika ndoo za Hifadhi ya Wingu.
- **Hitaji kuingia kwa OS:** VMs zilizoundwa katika miradi mipya zitakuwa na kuingia kwa OS kuliwezesha. Hii inakuwezesha kusimamia ufikiaji wa SSH kwa mifano yako kwa kutumia IAM bila kuhitaji kuunda na kusimamia funguo za SSH za kibinafsi.
**Additional security policies for service accounts**
**Sera za usalama za ziada kwa akaunti za huduma**
- **Disable automatic IAM grants**: Prevents the default App Engine and Compute Engine service accounts from automatically being granted the Editor IAM role on a project at creation. This ensures service accounts don't receive overly-permissive IAM roles upon creation.
- **Disable service account key creation**: Prevents the creation of public service account keys. This helps reduce the risk of exposing persistent credentials.
- **Disable service account key upload**: Prevents the uploading of public service account keys. This helps reduce the risk of leaked or reused key material.
- **Zima ruhusa za IAM za kiotomatiki:** Inazuia akaunti za huduma za App Engine na Compute Engine kupewa ruhusa ya Mhariri wa IAM kiotomatiki wakati wa uundaji wa mradi. Hii inahakikisha akaunti za huduma hazipati ruhusa za IAM zenye nguvu kupita kiasi wakati wa uundaji.
- **Zima uundaji wa funguo za akaunti za huduma:** Inazuia uundaji wa funguo za umma za akaunti za huduma. Hii husaidia kupunguza hatari ya kufichuliwa kwa akidi za kudumu.
- **Zima upakuaji wa funguo za akaunti za huduma:** Inazuia upakuaji wa funguo za umma za akaunti za huduma. Hii husaidia kupunguza hatari ya kufichuliwa au kutumia tena vifaa vya funguo.
**Secure VPC network configuration policies**
**Sera za usanidi wa mtandao wa VPC salama**
- **Define allowed external IPs for VM instances**: Prevents the creation of Compute instances with a public IP, which can expose them to internet traffic.
- **Fafanua IP za nje zinazoruhusiwa kwa mifano ya VM:** Inazuia uundaji wa mifano ya Compute zikiwa na IP ya umma, ambayo inaweza kuziweka wazi kwa trafiki ya intaneti.
* **Disable VM nested virtualization**: Prevents the creation of nested VMs on Compute Engine VMs. This decreases the security risk of having unmonitored nested VMs.
* **Zima uanzishaji wa VM wa ndani:** Inazuia uundaji wa VMs za ndani kwenye VMs za Compute Engine. Hii inapunguza hatari ya usalama ya kuwa na VMs za ndani zisizofuatiliwa.
- **Disable VM serial port:** Prevents serial port access to Compute Engine VMs. This prevents input to a servers serial port using the Compute Engine API.
- **Zima bandari ya serial ya VM:** Inazuia ufikiaji wa bandari ya serial kwa VMs za Compute Engine. Hii inazuia pembejeo kwenye bandari ya serial ya seva kwa kutumia API ya Compute Engine.
* **Restrict authorized networks on Cloud SQL instances:** Prevents public or non-internal network ranges from accessing your Cloud SQL databases.
* **Punguza mitandao iliyothibitishwa kwenye mifano ya Cloud SQL:** Inazuia maeneo ya umma au yasiyo ya ndani kufikia hifadhidata zako za Cloud SQL.
- **Restrict Protocol Forwarding Based on type of IP Address:** Prevents VM protocol forwarding for external IP addresses.
- **Punguza Uhamasishaji wa Itifaki Kulingana na aina ya IP:** Inazuia uhamasishaji wa itifaki ya VM kwa anwani za IP za nje.
* **Restrict Public IP access on Cloud SQL instances:** Prevents the creation of Cloud SQL instances with a public IP, which can expose them to internet traffic.
* **Punguza ufikiaji wa IP ya umma kwenye mifano ya Cloud SQL:** Inazuia uundaji wa mifano ya Cloud SQL zikiwa na IP ya umma, ambayo inaweza kuziweka wazi kwa trafiki ya intaneti.
- **Restrict shared VPC project lien removal:** Prevents the accidental deletion of Shared VPC host projects.
- **Punguza kuondolewa kwa dhamana ya mradi wa VPC iliyoshirikiwa:** Inazuia kufutwa kwa bahati mbaya kwa miradi ya mwenyeji wa VPC iliyoshirikiwa.
* **Sets the internal DNS setting for new projects to Zonal DNS Only:** Prevents the use of a legacy DNS setting that has reduced service availability.
* **Weka mipangilio ya DNS ya ndani kwa miradi mipya kuwa DNS ya Kihuduma tu:** Inazuia matumizi ya mipangilio ya zamani ya DNS ambayo imepunguza upatikanaji wa huduma.
- **Skip default network creation:** Prevents automatic creation of the default VPC network and related resources. This avoids overly-permissive default firewall rules.
- **Skip default network creation:** Inazuia uundaji wa kiotomatiki wa mtandao wa VPC wa kawaida na rasilimali zinazohusiana. Hii inakwepa sheria za moto za kawaida zenye nguvu kupita kiasi.
* **Disable VPC External IPv6 usage:** Prevents the creation of external IPv6 subnets, which can be exposed to unauthorized internet access.
* **Zima matumizi ya IPv6 ya nje ya VPC:** Inazuia uundaji wa subnet za IPv6 za nje, ambazo zinaweza kuonyeshwa kwa ufikiaji wa intaneti usioidhinishwa.
</details>
## **IAM Roles**
## **Majukumu ya IAM**
These are like IAM policies in AWS as **each role contains a set of permissions.**
Haya ni kama sera za IAM katika AWS kwani **kila jukumu lina seti ya ruhusa.**
However, unlike in AWS, there is **no centralized repo** of roles. Instead of that, **resources give X access roles to Y principals**, and the only way to find out who has access to a resource is to use the **`get-iam-policy` method over that resource**.\
This could be a problem because this means that the only way to find out **which permissions a principal has is to ask every resource who is it giving permissions to**, and a user might not have permissions to get permissions from all resources.
Hata hivyo, tofauti na katika AWS, hakuna **repo ya kati** ya majukumu. Badala yake, **rasilimali zinatoa majukumu ya X kwa wakuu wa Y**, na njia pekee ya kugundua ni nani mwenye ufikiaji wa rasilimali ni kutumia **mbinu ya `get-iam-policy` juu ya rasilimali hiyo**.\
Hii inaweza kuwa tatizo kwa sababu hii inamaanisha kwamba njia pekee ya kugundua **ni ruhusa zipi mkuu ana nazo ni kuuliza kila rasilimali ni nani inayoipa ruhusa**, na mtumiaji anaweza kuwa hana ruhusa za kupata ruhusa kutoka kwa rasilimali zote.
There are **three types** of roles in IAM:
Kuna **aina tatu** za majukumu katika IAM:
- **Basic/Primitive roles**, which include the **Owner**, **Editor**, and **Viewer** roles that existed prior to the introduction of IAM.
- **Predefined roles**, which provide granular access for a specific service and are managed by Google Cloud. There are a lot of predefined roles, you can **see all of them with the privileges they have** [**here**](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles).
- **Custom roles**, which provide granular access according to a user-specified list of permissions.
- **Majukumu ya Msingi/Msingi**, ambayo yanajumuisha **Mmiliki**, **Mhariri**, na **Mtazamaji** ambayo yalikuwepo kabla ya kuanzishwa kwa IAM.
- **Majukumu yaliyotangazwa**, ambayo yanatoa ufikiaji wa kina kwa huduma maalum na yanadhibitiwa na Google Cloud. Kuna majukumu mengi yaliyotangazwa, unaweza **kuona yote pamoja na haki zao** [**hapa**](https://cloud.google.com/iam/docs/understanding-roles#predefined_roles).
- **Majukumu ya Kijadi**, ambayo yanatoa ufikiaji wa kina kulingana na orodha ya ruhusa iliyotolewa na mtumiaji.
There are thousands of permissions in GCP. In order to check if a role has a permissions you can [**search the permission here**](https://cloud.google.com/iam/docs/permissions-reference) and see which roles have it.
Kuna maelfu ya ruhusa katika GCP. Ili kuangalia ikiwa jukumu lina ruhusa unaweza [**kutafuta ruhusa hapa**](https://cloud.google.com/iam/docs/permissions-reference) na kuona ni majukumu gani yana hiyo.
You can also [**search here predefined roles**](https://cloud.google.com/iam/docs/understanding-roles#product_specific_documentation) **offered by each product.** Note that some **roles** cannot be attached to users and **only to SAs because some permissions** they contain.\
Moreover, note that **permissions** will only **take effect** if they are **attached to the relevant service.**
Unaweza pia [**kutafuta hapa majukumu yaliyotangazwa**](https://cloud.google.com/iam/docs/understanding-roles#product_specific_documentation) **yanayotolewa na kila bidhaa.** Kumbuka kwamba baadhi ya **majukumu** hayawezi kuunganishwa na watumiaji na **tu kwa SAs kwa sababu ya ruhusa** wanazozishikilia.\
Zaidi ya hayo, kumbuka kwamba **ruhusa** zitachukua **madhara** tu ikiwa zime **unganishwa na huduma husika.**
Or check if a **custom role can use a** [**specific permission in here**](https://cloud.google.com/iam/docs/custom-roles-permissions-support)**.**
Au angalia ikiwa **jukumu la kijadi linaweza kutumia** [**ruhusa maalum hapa**](https://cloud.google.com/iam/docs/custom-roles-permissions-support)**.**
{{#ref}}
../gcp-services/gcp-iam-and-org-policies-enum.md
{{#endref}}
## Users <a href="#default-credentials" id="default-credentials"></a>
## Watumiaji <a href="#default-credentials" id="default-credentials"></a>
In **GCP console** there **isn't any Users or Groups** management, that is done in **Google Workspace**. Although you could synchronize a different identity provider in Google Workspace.
Katika **konso ya GCP** hakuna usimamizi wa Watumiaji au Vikundi, hiyo inafanywa katika **Google Workspace**. Ingawa unaweza kusawazisha mtoa huduma tofauti wa utambulisho katika Google Workspace.
You can access Workspaces **users and groups in** [**https://admin.google.com**](https://admin.google.com/).
Unaweza kufikia watumiaji na vikundi vya Workspaces **katika** [**https://admin.google.com**](https://admin.google.com/).
**MFA** can be **forced** to Workspaces users, however, an **attacker** could use a token to access GCP **via cli which won't be protected by MFA** (it will be protected by MFA only when the user logins to generate it: `gcloud auth login`).
**MFA** inaweza **kulazimishwa** kwa watumiaji wa Workspaces, hata hivyo, **mshambuliaji** anaweza kutumia tokeni kufikia GCP **kupitia cli ambayo haitalindwa na MFA** (italindwa na MFA tu wakati mtumiaji anapoingia kuunda hiyo: `gcloud auth login`).
## Groups
## Vikundi
When an organisation is created several groups are **strongly suggested to be created.** If you manage any of them you might have compromised all or an important part of the organization:
Wakati shirika linaundwa vikundi kadhaa **vinapendekezwa kwa nguvu kuundwa.** Ikiwa unashughulikia yoyote yao unaweza kuwa umepata hatari kwa shirika lote au sehemu muhimu ya shirika:
<table data-header-hidden><thead><tr><th width="299.3076923076923"></th><th></th></tr></thead><tbody><tr><td><strong>Group</strong></td><td><strong>Function</strong></td></tr><tr><td><strong><code>gcp-organization-admins</code></strong><br><em>(group or individual accounts required for checklist)</em></td><td>Administering any resource that belongs to the organization. Assign this role sparingly; org admins have access to all of your Google Cloud resources. Alternatively, because this function is highly privileged, consider using individual accounts instead of creating a group.</td></tr><tr><td><strong><code>gcp-network-admins</code></strong><br><em>(required for checklist)</em></td><td>Creating networks, subnets, firewall rules, and network devices such as Cloud Router, Cloud VPN, and cloud load balancers.</td></tr><tr><td><strong><code>gcp-billing-admins</code></strong><br><em>(required for checklist)</em></td><td>Setting up billing accounts and monitoring their usage.</td></tr><tr><td><strong><code>gcp-developers</code></strong><br><em>(required for checklist)</em></td><td>Designing, coding, and testing applications.</td></tr><tr><td><strong><code>gcp-security-admins</code></strong><br></td><td>Establishing and managing security policies for the entire organization, including access management and <a href="https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints">organization constraint policies</a>. See the <a href="https://cloud.google.com/architecture/security-foundations/authentication-authorization#users_and_groups">Google Cloud security foundations guide</a> for more information about planning your Google Cloud security infrastructure.</td></tr><tr><td><strong><code>gcp-devops</code></strong></td><td>Creating or managing end-to-end pipelines that support continuous integration and delivery, monitoring, and system provisioning.</td></tr><tr><td><strong><code>gcp-logging-admins</code></strong></td><td></td></tr><tr><td><strong><code>gcp-logging-viewers</code></strong></td><td></td></tr><tr><td><strong><code>gcp-monitor-admins</code></strong></td><td></td></tr><tr><td><strong><code>gcp-billing-viewer</code></strong><br><em>(no longer by default)</em></td><td>Monitoring the spend on projects. Typical members are part of the finance team.</td></tr><tr><td><strong><code>gcp-platform-viewer</code></strong><br><em>(no longer by default)</em></td><td>Reviewing resource information across the Google Cloud organization.</td></tr><tr><td><strong><code>gcp-security-reviewer</code></strong><br><em>(no longer by default)</em></td><td>Reviewing cloud security.</td></tr><tr><td><strong><code>gcp-network-viewer</code></strong><br><em>(no longer by default)</em></td><td>Reviewing network configurations.</td></tr><tr><td><strong><code>grp-gcp-audit-viewer</code></strong><br><em>(no longer by default)</em></td><td>Viewing audit logs.</td></tr><tr><td><strong><code>gcp-scc-admin</code></strong><br><em>(no longer by default)</em></td><td>Administering Security Command Center.</td></tr><tr><td><strong><code>gcp-secrets-admin</code></strong><br><em>(no longer by default)</em></td><td>Managing secrets in Secret Manager.</td></tr></tbody></table>
<table data-header-hidden><thead><tr><th width="299.3076923076923"></th><th></th></tr></thead><tbody><tr><td><strong>Kikundi</strong></td><td><strong>Funguo</strong></td></tr><tr><td><strong><code>gcp-organization-admins</code></strong><br><em>(akaunti za kikundi au mtu binafsi zinahitajika kwa orodha ya ukaguzi)</em></td><td>Kusimamia rasilimali yoyote inayomilikiwa na shirika. Tenga jukumu hili kwa uangalifu; wasimamizi wa shirika wana ufikiaji wa rasilimali zako zote za Google Cloud. Badala yake, kwa sababu kazi hii ina mamlaka makubwa, fikiria kutumia akaunti za mtu binafsi badala ya kuunda kikundi.</td></tr><tr><td><strong><code>gcp-network-admins</code></strong><br><em>(zinahitajika kwa orodha ya ukaguzi)</em></td><td>Kuunda mitandao, subnet, sheria za moto, na vifaa vya mtandao kama vile Cloud Router, Cloud VPN, na mizani ya mzigo wa wingu.</td></tr><tr><td><strong><code>gcp-billing-admins</code></strong><br><em>(zinahitajika kwa orodha ya ukaguzi)</em></td><td>Kuweka akaunti za bili na kufuatilia matumizi yao.</td></tr><tr><td><strong><code>gcp-developers</code></strong><br><em>(zinahitajika kwa orodha ya ukaguzi)</em></td><td>Kubuni, kuandika, na kupima programu.</td></tr><tr><td><strong><code>gcp-security-admins</code></strong><br></td><td>Kuweka na kusimamia sera za usalama kwa shirika lote, ikiwa ni pamoja na usimamizi wa ufikiaji na <a href="https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints">sera za vizuizi vya shirika</a>. Tazama <a href="https://cloud.google.com/architecture/security-foundations/authentication-authorization#users_and_groups">mwongozo wa misingi ya usalama wa Google Cloud</a> kwa maelezo zaidi kuhusu kupanga miundombinu yako ya usalama wa Google Cloud.</td></tr><tr><td><strong><code>gcp-devops</code></strong></td><td>Kuumba au kusimamia mipango ya mwisho hadi mwisho inayosaidia uunganisho wa mara kwa mara na utoaji, ufuatiliaji, na usanidi wa mfumo.</td></tr><tr><td><strong><code>gcp-logging-admins</code></strong><td></td></tr><tr><td><strong><code>gcp-logging-viewers</code></strong><td></td></tr><tr><td><strong><code>gcp-monitor-admins</code></strong><td></td></tr><tr><td><strong><code>gcp-billing-viewer</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kufuatilia matumizi kwenye miradi. Wanachama wa kawaida ni sehemu ya timu ya fedha.</td></tr><tr><td><strong><code>gcp-platform-viewer</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kukagua taarifa za rasilimali katika shirika la Google Cloud.</td></tr><tr><td><strong><code>gcp-security-reviewer</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kukagua usalama wa wingu.</td></tr><tr><td><strong><code>gcp-network-viewer</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kukagua usanidi wa mtandao.</td></tr><tr><td><strong><code>grp-gcp-audit-viewer</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kukagua kumbukumbu za ukaguzi.</td></tr><tr><td><strong><code>gcp-scc-admin</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kusimamia Kituo cha Amri ya Usalama.</td></tr><tr><td><strong><code>gcp-secrets-admin</code></strong><br><em>(sio tena kwa kawaida)</em></td><td>Kusimamia siri katika Meneja wa Siri.</td></tr></tbody></table>
## **Default Password Policy**
## **Sera ya Nywila ya Kawaida**
- Enforce strong passwords
- Between 8 and 100 characters
- No reuse
- No expiration
- If people is accessing Workspace through a third party provider, these requirements aren't applied.
- Lazimisha nywila zenye nguvu
- Kati ya herufi 8 na 100
- Hakuna matumizi tena
- Hakuna muda wa kumalizika
- Ikiwa watu wanapata Workspace kupitia mtoa huduma wa tatu, mahitaji haya hayatumiki.
<figure><img src="../../../images/image (20).png" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../images/image (22).png" alt=""><figcaption></figcaption></figure>
## **Service accounts**
## **Akaunti za huduma**
These are the principals that **resources** can **have** **attached** and access to interact easily with GCP. For example, it's possible to access the **auth token** of a Service Account **attached to a VM** in the metadata.\
It is possible to encounter some **conflicts** when using both **IAM and access scopes**. For example, your service account may have the IAM role of `compute.instanceAdmin` but the instance you've breached has been crippled with the scope limitation of `https://www.googleapis.com/auth/compute.readonly`. This would prevent you from making any changes using the OAuth token that's automatically assigned to your instance.
Hizi ni wakuu ambao **rasilimali** zinaweza **kuwa** **zilizounganishwa** na ufikiaji wa kuingiliana kwa urahisi na GCP. Kwa mfano, inawezekana kufikia **tokeni ya uthibitisho** ya Akaunti ya Huduma **iliyounganishwa na VM** katika metadata.\
Inawezekana kukutana na baadhi ya **mizozo** wakati wa kutumia **IAM na mipaka ya ufikiaji**. Kwa mfano, akaunti yako ya huduma inaweza kuwa na jukumu la IAM la `compute.instanceAdmin` lakini mfano uliyovunja umewekwa na kikomo cha mipaka ya `https://www.googleapis.com/auth/compute.readonly`. Hii itakuzuia kufanya mabadiliko yoyote kwa kutumia tokeni ya OAuth ambayo inatolewa kiotomatiki kwa mfano wako.
It's similar to **IAM roles from AWS**. But not like in AWS, **any** service account can be **attached to any service** (it doesn't need to allow it via a policy).
Several of the service accounts that you will find are actually **automatically generated by GCP** when you start using a service, like:
Ni sawa na **majukumu ya IAM kutoka AWS**. Lakini tofauti na katika AWS, **akaunti yoyote ya huduma inaweza kuunganishwa na huduma yoyote** (haihitaji kuiruhusu kupitia sera).
Baadhi ya akaunti za huduma ambazo utaziona kwa kweli **zinaundwa kiotomatiki na GCP** unapokuwa unatumia huduma, kama:
```
PROJECT_NUMBER-compute@developer.gserviceaccount.com
PROJECT_ID@appspot.gserviceaccount.com
```
However, it's also possible to create and attach to resources **custom service accounts**, which will look like this:
Hata hivyo, inawezekana pia kuunda na kuunganisha kwenye rasilimali **akaunti za huduma za kawaida**, ambazo zitakuwa kama hii:
```
SERVICE_ACCOUNT_NAME@PROJECT_NAME.iam.gserviceaccount.com
```
### **Keys & Tokens**
There are 2 main ways to access GCP as a service account:
Kuna njia 2 kuu za kufikia GCP kama akaunti ya huduma:
- **Via OAuth tokens**: These are tokens that you will get from places like metadata endpoints or stealing http requests and they are limited by the **access scopes**.
- **Keys**: These are public and private key pairs that will allow you to sign requests as the service account and even generate OAuth tokens to perform actions as the service account. These keys are dangerous because they are more complicated to limit and control, that's why GCP recommend to not generate them.
- Note that every-time a SA is created, **GCP generates a key for the service account** that the user cannot access (and won't be listed in the web application). According to [**this thread**](https://www.reddit.com/r/googlecloud/comments/f0ospy/service_account_keys_observations/) this key is **used internally by GCP** to give metadata endpoints access to generate the accesible OAuth tokens.
- **Kupitia token za OAuth**: Hizi ni token ambazo utapata kutoka maeneo kama vile metadata endpoints au kuiba maombi ya http na zinapunguzwa na **mipaka ya ufikiaji**.
- **Funguo**: Hizi ni jozi za funguo za umma na za kibinafsi ambazo zitakuruhusu kusaini maombi kama akaunti ya huduma na hata kuunda token za OAuth ili kufanya vitendo kama akaunti ya huduma. Funguo hizi ni hatari kwa sababu ni ngumu zaidi kuzizuia na kudhibiti, ndiyo maana GCP inapendekeza kutosababisha hizo.
- Kumbuka kwamba kila wakati akaunti ya SA inaundwa, **GCP inaunda funguo kwa akaunti ya huduma** ambayo mtumiaji cannot access (na haitatajwa katika programu ya wavuti). Kulingana na [**thread hii**](https://www.reddit.com/r/googlecloud/comments/f0ospy/service_account_keys_observations/) funguo hii **inatumiwa ndani na GCP** kutoa ufikiaji wa metadata endpoints ili kuunda token za OAuth zinazopatikana.
### **Access scopes**
Access scope are **attached to generated OAuth tokens** to access the GCP API endpoints. They **restrict the permissions** of the OAuth token.\
This means that if a token belongs to an Owner of a resource but doesn't have the in the token scope to access that resource, the token **cannot be used to (ab)use those privileges**.
Mipaka ya ufikiaji ni **imeunganishwa na token za OAuth zilizozalishwa** ili kufikia viwango vya API vya GCP. Zinapunguza **idhini** za token ya OAuth.\
Hii ina maana kwamba ikiwa token inamilikiwa na Mmiliki wa rasilimali lakini haina katika mipaka ya token kufikia rasilimali hiyo, token **haiwezi kutumika (ku) kutumia zile haki**.
Google actually [recommends](https://cloud.google.com/compute/docs/access/service-accounts#service_account_permissions) that **access scopes are not used and to rely totally on IAM**. The web management portal actually enforces this, but access scopes can still be applied to instances using custom service accounts programmatically.
You can see what **scopes** are **assigned** by **querying:**
Google kwa kweli [inapendekeza](https://cloud.google.com/compute/docs/access/service-accounts#service_account_permissions) kwamba **mipaka ya ufikiaji isitumike na kutegemea kabisa IAM**. Kituo cha usimamizi wa wavuti kwa kweli kinadhibiti hili, lakini mipaka ya ufikiaji bado inaweza kutumika kwa mifano kwa kutumia akaunti za huduma za kawaida kimaandishi.
Unaweza kuona ni **mipaka** gani **imepewa** kwa **kuuliza:**
```bash
curl 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=<access_token>'
{
"issued_to": "223044615559.apps.googleusercontent.com",
"audience": "223044615559.apps.googleusercontent.com",
"user_id": "139746512919298469201",
"scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/sqlservice.login https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/accounts.reauth",
"expires_in": 2253,
"email": "username@testing.com",
"verified_email": true,
"access_type": "offline"
"issued_to": "223044615559.apps.googleusercontent.com",
"audience": "223044615559.apps.googleusercontent.com",
"user_id": "139746512919298469201",
"scope": "openid https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/appengine.admin https://www.googleapis.com/auth/sqlservice.login https://www.googleapis.com/auth/compute https://www.googleapis.com/auth/accounts.reauth",
"expires_in": 2253,
"email": "username@testing.com",
"verified_email": true,
"access_type": "offline"
}
```
The previous **scopes** are the ones generated by **default** using **`gcloud`** to access data. This is because when you use **`gcloud`** you first create an OAuth token, and then use it to contact the endpoints.
The most important scope of those potentially is **`cloud-platform`**, which basically means that it's possible to **access any service in GCP**.
@@ -201,7 +193,6 @@ The most important scope of those potentially is **`cloud-platform`**, which bas
You can **find a list of** [**all the possible scopes in here**](https://developers.google.com/identity/protocols/googlescopes)**.**
If you have **`gcloud`** browser credentials, it's possible to **obtain a token with other scopes,** doing something like:
```bash
# Maybe you can get a user token with other scopes changing the scopes array from ~/.config/gcloud/credentials.db
@@ -213,22 +204,17 @@ gcloud auth application-default print-access-token
# To use this token with some API you might need to use curl to indicate the project header with --header "X-Goog-User-Project: <project-name>"
```
## **Sera za IAM za Terraform, Mikataba na Uanachama**
## **Terraform IAM Policies, Bindings and Memberships**
Kama ilivyoainishwa na terraform katika [https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam) kutumia terraform na GCP kuna njia tofauti za kutoa ufikiaji kwa principal juu ya rasilimali:
As defined by terraform in [https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam) using terraform with GCP there are different ways to grant a principal access over a resource:
- **Uanachama**: Unapoweka **principals kama wanachama wa majukumu** **bila vizuizi** juu ya jukumu au principals. Unaweza kuweka mtumiaji kama mwanachama wa jukumu kisha kuweka kundi kama mwanachama wa jukumu hilo hilo na pia kuweka principals hao (mtumiaji na kundi) kama wanachama wa majukumu mengine.
- **Mikataba**: Principals kadhaa **wanaweza kuunganishwa na jukumu**. Principals hao **bado wanaweza kuunganishwa au kuwa wanachama wa majukumu mengine**. Hata hivyo, ikiwa principal ambaye hajaunganishwa na jukumu amewekwa kama **mwanachama wa jukumu lililounganishwa**, wakati ujao **mkataba utakapotekelezwa, uanachama utaondoka**.
- **Sera**: Sera ni **mamlaka**, inaonyesha majukumu na principals na kisha, **principals hao hawawezi kuwa na majukumu zaidi na majukumu hayo hayawezi kuwa na principals zaidi** isipokuwa sera hiyo ibadilishwe (hata katika sera nyingine, mikataba au uanachama). Kwa hivyo, wakati jukumu au principal inapoainishwa katika sera, haki zake zote **zinapunguziliwa mbali na sera hiyo**. Kwa wazi, hii inaweza kupuuziliwa mbali ikiwa principal atapewa chaguo la kubadilisha sera au ruhusa za kupandisha hadhi (kama kuunda principal mpya na kumunganisha na jukumu jipya).
- **Memberships**: You set **principals as members of roles** **without restrictions** over the role or the principals. You can put a user as a member of a role and then put a group as a member of the same role and also set those principals (user and group) as member of other roles.
- **Bindings**: Several **principals can be binded to a role**. Those **principals can still be binded or be members of other roles**. However, if a principal which isnt binded to the role is set as **member of a binded role**, the next time the **binding is applied, the membership will disappear**.
- **Policies**: A policy is **authoritative**, it indicates roles and principals and then, **those principals cannot have more roles and those roles cannot have more principals** unless that policy is modified (not even in other policies, bindings or memberships). Therefore, when a role or principal is specified in policy all its privileges are **limited by that policy**. Obviously, this can be bypassed in case the principal is given the option to modify the policy or privilege escalation permissions (like create a new principal and bind him a new role).
## References
## Marejeo
- [https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/](https://about.gitlab.com/blog/2020/02/12/plundering-gcp-escalating-privileges-in-google-cloud-platform/)
- [https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy)
{{#include ../../../banners/hacktricks-training.md}}