Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs

Подробнее о видео

We'll delve into the intricacies of Google Cloud Platform (GCP) audit logs, specifically focusing on how GCP principles are represented and authenticated within these logs. Attendees will gain practical insights and hands-on understanding of deciphering GCP audit logs to detect authentication details, impersonations and analyze principal identities. We will walk through the “authenticationInfo” field in the logs, understanding what information we have. On to understanding the diverse types of entities and identities we can have in GCP. What types of impersonations can we have, how are they used, and by who (GCP VMs as well). Finally, we will show what internal GCP accounts perform or don't in our environment, and when we do not have any logged identities at all! Through real examples and demonstrations, this session will empower attendees to enhance their cloud security monitoring and incident response capabilities. Takeaways: 1. Attendees will gain practical insights into deciphering GCP audit logs, focusing on authentication details and principal identities. 2. Participants will acquire the skills to identify different types of impersonations and workload identities within GCP audit logs. 3. Participants will discover the significance of service agents and the impact of missing identities in logs.

SANS DFIR Summit 2024
Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs
Speaker: Gabriel Fried, Senior Cloud Security Researcher, Mitiga

View upcoming Summits: