CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Exploiting IAM in GCP

In this talk, we will take a closer look at the Google Cloud Platform (GCP) IAM model. You’ll be introduced to the relevant concepts to understand the different types of identities, IAM permissions, and scopes. Did you know that the default IAM policy for the compute engine service account includes the ability to impersonate other service accounts, among other things?

Most importantly, we’ll learn how to leverage certain configurations of the service account to escalate privileges from a virtual machine. I will show a demo where I use a shell on a virtual machine to tear down another security control to allow data exfiltration out of the environment. By the end of the talk, you’ll understand how to impersonate service accounts, conduct recon, and escalate your privileges from a virtual machine. You’ll also get some ideas on how to mitigate against these attacks.

Colin Estep

Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. He researches the challenges with securing AWS and GCP, informing product direction for Netskope's IaaS product. Colin was previously the CSO at Sift Security (acquired by Netskope), where he built cloud-native intrusion detection for AWS and GCP. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. Colin was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.