A Proactive Cloud Function to Safeguard GCP Projects from bulkInsert API Abuse

As businesses migrate to Google Cloud Platform (GCP), security is paramount. With this rise in cloud adoption, malicious actors seek vulnerabilities. Google’s response is the Google Cybersecurity Action Team (GCAT) and its Threat Horizons report. This effort fortifies digital security, especially for cloud services and thus enhancing their protection and defense strategies.

The GCAT Threat Horizons report offers some recommendations to strengthen security and mitigate potential attacks. which are:

• Following password and configuration best practices.
• Ensure third-party software is up to date.
• Set up alerts to notify of high resource consumption.
• Avoid publishing credentials on any public platforms.

“While cloud customers continue to face a variety of threats across applications and infrastructure, many successful attacks are due to poor hygiene and a lack of basic control implementation.”
- Bob Mechler and Seth Rosenblatt, Google Cloud Staffers

Among the numerous triggers for security breaches, compromised credentials stand out as a significant. Adopting a proactive approach is imperative for organizations to ensure readiness against possible attacks.

In this Article, I shall provide you with a cloud function security feature to disable a service account and delete its key which is used for creating bulk VMs with bulkInsert API. Which typically will be the case where attackers try to create 100s/1000s of VMs for Crypto mining.

Let's go create that additional layer of security.

Aim:

To create a GCP log router sink to a Pub/Sub topic and in response to this published message a cloud function should be triggered to disable a specific GCP Service Account and delete its key.

Steps

1. Create a Pub/Sub topic.
2. Create a log router sink to the Pub/Sub topic.
3. Create a Cloud Function.

Step 1: Create a Pub/Sub Topic

1. In GCP Console: Go to Pub/Sub service and provide a name to create a Pub/Sub topic.

Step 2: Create a Log Router Sink

1. Go to Log Router service and create a sink with sink destination being above Pub/Sub topic.
2. In “logs to include in sink” field specify below inclusion filter and proceed to create sink.

proto_payload.method_name = "v1.compute.instances.bulkInsert"
protoPayload.request.count > 3
operation.first = "true"

Step 3: Create a Cloud Function

1. Go to Cloud Function service and create a function with trigger being cloud Pub/Sub topic we created. Proceed to write code in any specified programming language. here, I used python.
2. In function code, make sure you decode the event data using base64.b64decode().decode(‘utf-8’).
3. From decoded payload fetch proper email ID and verify if it’s user/service account and skip if it’s user.
4. Once you got email ID and its Key ID call below APIs to disable service account and delete its key.

service = googleapiclient.discovery.build('iam', 'v1', cache_discovery=False)
service.projects().serviceAccounts().disable(name='projects/%s/serviceAccounts/%s' % (project, email)).execute()
service.projects().serviceAccounts().keys().delete(name='projects/%s/serviceAccounts/%s/keys/%s' % (project, email, keyId_items[1])).execute()

You can find full code in my GitHub repo — GCP-BulkInsert-Security

Also, make sure that cloud function service account has minimum required permissions to do above API calls.

In addition to this, we can create a log-based metric with same filter we used above and create an alert policy to get notified of such event through an email.

In Conclusion

All exposes about cryptocurrency mining and other threats emphasize the need for preemptive actions like implementing the recommended security practices and utilizing proactive cloud functions, businesses can significantly reduce their vulnerability to breaches and ensure a secure and resilient cloud environment.

Remember, in the ever-evolving landscape of cloud security, proactive measures are essential to stay one step ahead of potential threats and ensure the integrity of your cloud infrastructure.

Disclaimer: This article is intended for informational purposes only and does not constitute professional advice. It is encouraged to consult with security experts and follow official guidelines to ensure the highest level of cloud security.