Hello? Whose service account keys are these?

Описание: Hello? Whose service account keys are these?
Lee Livsey

Abstract:
The risks associated with the use of long-lived credentials to access cloud estates are well-known, and has resulted in various security breaches due to insecurely stored credentials in places such as public repositories and internet-accessible services. Yet they continue to occur. Separately, usage of third-party SaaS solutions which require keys to interact with cloud resources adds additional confusion and can make visibility of such credentials difficult to manage.
This talk aims to discuss these challenges within the specific context of GCP, and provide additional impetus to have organisations adopt secure credential handling practices when dealing with GCP projects. We'll discuss some of the core issues related to GCP service account keys and the broader IAM model, and provide real world examples of the potential impact when these go wrong.
We'll then introduce a real world case study of these challenges via a newly identified bug within a managed GCP service which could have enabled a malicious attacker to obtain a privileged foothold within an organisation's GCP project. This intends to highlight that the risk of long-lived credentials remain unresolved and that GCP estates are also susceptible. The talk will conclude with a high-level overview of the vulnerability disclosure process and our experiences interacting with Google's security team.
Attendees will gain an understanding of:
The risks posed by over-permissive long-lived credential material within a GCP estate and the potential impact that a threat actor could cause.
How security teams can identify long-lived credentials and alternative approaches which can be considered to limit the potential attack window.
Encouragement to work collaboratively with the Google Security Team to help increase the security posture of its service offering.

Lee Livsey:
Lee is a Security Consultant at Reversec. He has a range of experience within offensive security, including both cloud and web application security. Lee's current work is primary related to security within GCP, with additional background within AWS.

Recorded at fwd:cloudsec Europe 2025
https://fwdcloudsec.org/