Google Cloud’s New Privilege Access Management Solution
Google launched a new feature in May (Priviledge Access Manager) that helped bridge the gap for just-in-time access, where previously it was recommended to utilize a 3rd party tool. Currently this feature is in public preview, meaning there are different SLAs associated with the product, but users are able to utilize this feature once the API is enabled within the GCP hierarchy.
Some key terms you ought to know:
Entitlements:
- Entitlements can be created at the organization, folder, or project level. Roles granted by an entitlement at each level follow the Google Cloud resource hierarchy. For example, roles granted by an entitlement at the organization level are inherited at the folder and project levels.
- If you add a group as a requester to an entitlement, all individual accounts in that group can request a grant of that entitlement. However, only the individual account requesting the grant can receive elevated privileges.
- If you add a group as an approver to an entitlement, all individual accounts in that group can approve or deny a grant request.
- Basic roles aren’t supported.
Grants:
Grants can be viewed as who, what, and status of the user who is requesting the temporary access to the “entitlement”.
Grants status is either denied or approved. Additionally it shows who the requester is and who the approvers are.
From a security standpoint this is a step in the right direction, as this had been a major pain point within Google Cloud Platform. Now diving into how PAM should be utilize in the fashion it is intended to be used.
Ensure you have the correct permissions to create an entitlement at the project level.
roles/privilegedaccessmanager.admin
roles/resourcemanager.projectIamAdminEnable the PAM API, under API library in your project.
Create your first Entitlement.
Following the steps from the GUI we created a Entitlement that allows specific users to request an elevated role of Compute Admin for 1 hour max in a methodical way. On top of that, we have forced the user who is requesting the temporary elevation to provide a business justification or add a ticket # for tracking purposes.
You can also create Entitlements through your CI/CD pipeline with a simple .yaml configuration, example below.
---
additionalNotificationTargets:
adminEmailRecipients:
- $email
approvalWorkflow:
manualApprovals:
requireApproverJustification: true
steps:
- approvalsNeeded: 1
approvers:
- principals:
- user: $email
createTime: '*****'
eligibleUsers:
- principals:
- user:$email
etag: '"******"'
maxRequestDuration: 3600s
name: projects/$PROJECT_ID/locations/global/entitlements/pam-compute-admin
privilegedAccess:
gcpIamAccess:
resource: //cloudresourcemanager.googleapis.com/projects/$PROJECT_ID
resourceType: cloudresourcemanager.googleapis.com/Project
roleBindings:
- role: roles/compute.admin
requesterJustificationConfig:
unstructured: {}
state: AVAILABLE
updateTime: '******'
---
additionalNotificationTargets:
adminEmailRecipients:
- $email
approvalWorkflow:
manualApprovals:
requireApproverJustification: true
steps:
- approvalsNeeded: 1
approverEmailRecipients:
- $email
approvers:
- principals:Let’s dive into what it looks like from an end user perspective. End users will need the ability to navigate the the PAM icon and then select, “My Entitlements”.
During the creation of the Entitlement, we selected to have a required approver necessary. The appropriate folks outlined in the earlier steps will be notified a grant has been requested, and all the end user or requester has to do is wait for the approval.
Now an admin will automatically get emailed when someone has requested access to the Entitlement. You may also verify within the GCP console itself. Now in my opinion this email looks very phishy and my initial instinct was to report/delete it but, with a little due diligence I can confirm its a legit email from Google. Google even makes a call out in the official documentation that you should allow list pam-noreply@google.com.
Security admins can now see the request and will either approve or deny based on the justification and context around the request.
Once approved the countdown will start on how long the access will last.
Conclusion:
In my opinion this new privilege access manager feature is a correct step for GCP to their overall security offering strategy, and will definitely help GCP native organizations achieve just-in-time access for those break glass strategies. PAM entitlements are clearly labeled in an IAM policy which is an added bonus which helps with logging or SIEM searches.
Now to extend some of my opinion further, you could look at this being a replacement for service account impersonation. Where GCP service accounts have long term access just waiting for a threat actors to utilize them in a lateral or horizontal movement.
Also, I envision companies with a solid IAM policy implementation could utilize this further. As a developer self service offering, knowing there are appropriate logging and guardrails in place!
Bio: Jacob has been in IT for 7 years and is currently a Staff Cloud Security Engineer, technical mentor, ISC2 CISSP member, and part time goat rancher.
