Google Certified Associate Cloud Engineer 2020
  1. Rooms
  2. Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

GCP service account compromise questions — Security and Roles

Hi There,

I have a question, see the below question from the practice exam. 

Thinking of attacker compromising an instance having full access (GCE, GCS) service account, won’t the attacker be able to steal the data from GCS ? and may delete and cause loss of data?  so shouldn’t be the answer is "Access everything allowed by access scope ?"

I feel like the answer should be "B" and not "C". Need your views and suggestion on this. 

_Question:_ You have a GCE instance using the default service account and access scopes allowing full access to storage, compute, and billing. What will happen if an **attacker compromises this** instance and runs their own program on it?A) If they send the credentials and use them outside of GCP, they will not be able to access any GCP services.  
B) If they send the credentials and use them outside of GCP, they will be able to access everything allowed by the access scopes.  
C) None of the other options is correct. ** _--correct answer as per ACloud Guru_**D) If they send the credentials and use them outside of GCP, they will have the same access as the GCE instance only if they spoof that machine’s MAC address.  
E) If they send the credentials and use them outside of GCP, they will be able to access everything allowed by the service account.  
F) They will be unable to access any credentials because of the “Metadata-Flavor: Google” protection.

Explanation from ACloud Guru

Requiring the “Metadata-Flavor: Google” header protects against a different type of attack than the one described in this question, so it will not help in this case. The access token will be available to the attacker’s program and it will work the same way from outside of GCP as it does from within it, regardless of the MAC address. In particular, the token will only allow the attacker (as any user) to perform whatever is allowed by both the service account and the access scopes. Since both the service account and the access scopes are missing some capabilities from the other, the actual access possible by using the token will be less than either of them, independently. Understanding Service Accounts Storing and Retrieving Instance Metadata

0 Answers

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization