IAM Misconfig and Lateral Movement

Description

Granting roles/iam.serviceAccountUser or roles/iam.serviceAccountTokenCreator on powerful service accounts allows impersonation or token minting, enabling lateral movement across projects. Attackers can leverage these roles to obtain access tokens or sign JWTs and act as the service account, often with broad permissions.

Examples

Find Risky Bindings

gcloud projects get-iam-policy <project> --format=json | jq -r '.bindings[] | select(.role | test("serviceAccount(User|TokenCreator)"))'
gcloud organizations get-iam-policy <org> --format=json | jq -r '.bindings[] | select(.role | test("serviceAccount(User|TokenCreator)"))'

Mint Token

gcloud auth print-access-token --impersonate-service-account=<sa>
gcloud iam service-accounts sign-jwt --iam-account <sa> payload.json output.jwt

Remediation

Limit SAUser/TokenCreator to trusted automation
- Scope to specific service accounts and projects; avoid granting on high‑privilege SAs.
Prefer workload identity federation and short‑lived tokens
- Replace static keys and broad SA usage with OIDC‑based federation and per‑workload identities.
Monitor and prevent
- Alert on GenerateAccessToken, SignJwt, and SignBlob in Audit Logs; use IAM Deny policies to forbid impersonation of Tier‑0 SAs.

Haxoris Wiki

IAM Misconfig and Lateral Movement

Description

Examples

Find Risky Bindings

Mint Token

Remediation