Translated ['.github/pull_request_template.md', 'src/pentesting-cloud/az

2025-12-23 15:37:53 -08:00 · 2024-12-31 18:59:03 +00:00
parent 7770a50092
commit 730ef05579
244 changed files with 8718 additions and 11559 deletions
--- a/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
+++ b/src/pentesting-cloud/gcp-security/gcp-permissions-for-a-pentest.md
@@ -1,54 +1,49 @@
 # GCP - Permissions for a Pentest

-If you want to pentest a GCP environment you need to ask for enough permissions to **check all or most of the services** used in **GCP**. Ideally, you should ask the client to create:
+Si vous souhaitez effectuer un pentest dans un environnement **GCP**, vous devez demander suffisamment de permissions pour **vérifier tous ou la plupart des services** utilisés dans **GCP**. Idéalement, vous devriez demander au client de créer :

-* **Create** a new **project**
-* **Create** a **Service Account** inside that project (get **json credentials**) or create a **new user**.
-* **Give** the **Service account** or the **user** the **roles** mentioned later over the ORGANIZATION
-* **Enable** the **APIs** mentioned later in this post in the created project
-
-**Set of permissions** to use the tools proposed later:
+* **Créer** un **nouveau projet**
+* **Créer** un **compte de service** à l'intérieur de ce projet (obtenir des **identifiants json**) ou créer un **nouvel utilisateur**.
+* **Donner** au **compte de service** ou à l'**utilisateur** les **rôles** mentionnés plus tard sur l'ORGANISATION
+* **Activer** les **API** mentionnées plus tard dans ce post dans le projet créé

+**Ensemble de permissions** à utiliser avec les outils proposés plus tard :
 ```bash
 roles/viewer
 roles/resourcemanager.folderViewer
 roles/resourcemanager.organizationViewer
 ```
-
-APIs to enable (from starbase):
-
+APIs à activer (depuis starbase) :
 ```
 gcloud services enable \
-  serviceusage.googleapis.com \
-  cloudfunctions.googleapis.com \
-  storage.googleapis.com \
-  iam.googleapis.com \
-  cloudresourcemanager.googleapis.com \
-  compute.googleapis.com \
-  cloudkms.googleapis.com \
-  sqladmin.googleapis.com \
-  bigquery.googleapis.com \
-  container.googleapis.com \
-  dns.googleapis.com \
-  logging.googleapis.com \
-  monitoring.googleapis.com \
-  binaryauthorization.googleapis.com \
-  pubsub.googleapis.com \
-  appengine.googleapis.com \
-  run.googleapis.com \
-  redis.googleapis.com \
-  memcache.googleapis.com \
-  apigateway.googleapis.com \
-  spanner.googleapis.com \
-  privateca.googleapis.com \
-  cloudasset.googleapis.com \
-  accesscontextmanager.googleapis.com
+serviceusage.googleapis.com \
+cloudfunctions.googleapis.com \
+storage.googleapis.com \
+iam.googleapis.com \
+cloudresourcemanager.googleapis.com \
+compute.googleapis.com \
+cloudkms.googleapis.com \
+sqladmin.googleapis.com \
+bigquery.googleapis.com \
+container.googleapis.com \
+dns.googleapis.com \
+logging.googleapis.com \
+monitoring.googleapis.com \
+binaryauthorization.googleapis.com \
+pubsub.googleapis.com \
+appengine.googleapis.com \
+run.googleapis.com \
+redis.googleapis.com \
+memcache.googleapis.com \
+apigateway.googleapis.com \
+spanner.googleapis.com \
+privateca.googleapis.com \
+cloudasset.googleapis.com \
+accesscontextmanager.googleapis.com
 ```
-
-## Individual tools permissions
+## Permissions des outils individuels

 ### [PurplePanda](https://github.com/carlospolop/PurplePanda/tree/master/intel/google)
-
 ```
 From https://github.com/carlospolop/PurplePanda/tree/master/intel/google#permissions-configuration

@@ -61,9 +56,7 @@ roles/resourcemanager.folderViewer
 roles/resourcemanager.organizationViewer
 roles/secretmanager.viewer
 ```
-
 ### [ScoutSuite](https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions)
-
 ```
 From https://github.com/nccgroup/ScoutSuite/wiki/Google-Cloud-Platform#permissions

@@ -71,60 +64,56 @@ roles/Viewer
 roles/iam.securityReviewer
 roles/stackdriver.accounts.viewer
 ```
-
 ### [CloudSploit](https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration)
-
 ```
 From https://github.com/aquasecurity/cloudsploit/blob/master/docs/gcp.md#cloud-provider-configuration

 includedPermissions:
-  - cloudasset.assets.listResource
-  - cloudkms.cryptoKeys.list
-  - cloudkms.keyRings.list
-  - cloudsql.instances.list
-  - cloudsql.users.list
-  - compute.autoscalers.list
-  - compute.backendServices.list
-  - compute.disks.list
-  - compute.firewalls.list
-  - compute.healthChecks.list
-  - compute.instanceGroups.list
-  - compute.instances.getIamPolicy
-  - compute.instances.list
-  - compute.networks.list
-  - compute.projects.get
-  - compute.securityPolicies.list
-  - compute.subnetworks.list
-  - compute.targetHttpProxies.list
-  - container.clusters.list
-  - dns.managedZones.list
-  - iam.serviceAccountKeys.list
-  - iam.serviceAccounts.list
-  - logging.logMetrics.list
-  - logging.sinks.list
-  - monitoring.alertPolicies.list
-  - resourcemanager.folders.get
-  - resourcemanager.folders.getIamPolicy
-  - resourcemanager.folders.list
-  - resourcemanager.hierarchyNodes.listTagBindings
-  - resourcemanager.organizations.get
-  - resourcemanager.organizations.getIamPolicy
-  - resourcemanager.projects.get
-  - resourcemanager.projects.getIamPolicy
-  - resourcemanager.projects.list
-  - resourcemanager.resourceTagBindings.list
-  - resourcemanager.tagKeys.get
-  - resourcemanager.tagKeys.getIamPolicy
-  - resourcemanager.tagKeys.list
-  - resourcemanager.tagValues.get
-  - resourcemanager.tagValues.getIamPolicy
-  - resourcemanager.tagValues.list
-  - storage.buckets.getIamPolicy
-  - storage.buckets.list
+- cloudasset.assets.listResource
+- cloudkms.cryptoKeys.list
+- cloudkms.keyRings.list
+- cloudsql.instances.list
+- cloudsql.users.list
+- compute.autoscalers.list
+- compute.backendServices.list
+- compute.disks.list
+- compute.firewalls.list
+- compute.healthChecks.list
+- compute.instanceGroups.list
+- compute.instances.getIamPolicy
+- compute.instances.list
+- compute.networks.list
+- compute.projects.get
+- compute.securityPolicies.list
+- compute.subnetworks.list
+- compute.targetHttpProxies.list
+- container.clusters.list
+- dns.managedZones.list
+- iam.serviceAccountKeys.list
+- iam.serviceAccounts.list
+- logging.logMetrics.list
+- logging.sinks.list
+- monitoring.alertPolicies.list
+- resourcemanager.folders.get
+- resourcemanager.folders.getIamPolicy
+- resourcemanager.folders.list
+- resourcemanager.hierarchyNodes.listTagBindings
+- resourcemanager.organizations.get
+- resourcemanager.organizations.getIamPolicy
+- resourcemanager.projects.get
+- resourcemanager.projects.getIamPolicy
+- resourcemanager.projects.list
+- resourcemanager.resourceTagBindings.list
+- resourcemanager.tagKeys.get
+- resourcemanager.tagKeys.getIamPolicy
+- resourcemanager.tagKeys.list
+- resourcemanager.tagValues.get
+- resourcemanager.tagValues.getIamPolicy
+- resourcemanager.tagValues.list
+- storage.buckets.getIamPolicy
+- storage.buckets.list
 ```
-
-### [Cartography](https://lyft.github.io/cartography/modules/gcp/config.html)
-
+### [Cartographie](https://lyft.github.io/cartography/modules/gcp/config.html)
 ```
 From https://lyft.github.io/cartography/modules/gcp/config.html

@@ -132,9 +121,7 @@ roles/iam.securityReviewer
 roles/resourcemanager.organizationViewer
 roles/resourcemanager.folderViewer
 ```
-
 ### [Starbase](https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md)
-
 ```
 From https://github.com/JupiterOne/graph-google-cloud/blob/main/docs/development.md

@@ -143,6 +130,3 @@ roles/iam.organizationRoleViewer
 roles/bigquery.metadataViewer
 ```

-
-
-