This repository has been archived by the owner on Apr 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 62
/
Copy pathResourceManager.yaml
184 lines (183 loc) · 8.84 KB
/
ResourceManager.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
version: 1
ATT&CK version: 10
creation date: 03/25/2022
last update: 06/07/2022
name: ResourceManager
contact: [email protected]
organization: Center for Threat Informed Defense (CTID)
platform: GCP
tags:
- Identity
- Access Management
- Credentials
- Network
- Configuration Management
description: >-
Google Cloud Platform provides resource containers such as organizations, folders, and projects
that allow users to group and hierarchically organize other GCP resources. This hierarchical
organization lets users easily manage common aspects of your resources such as access control and
configuration settings. Resource Manager enables users to programmatically manage these resource
containers.
techniques:
- id: T1580
name: Cloud Infrastructure Discovery
technique-scores:
- category: Protect
value: Significant
comments: >-
Resource Manager can easily modify your Cloud Identity and Access Management policies for
your organization and folders, and the changes will apply across all the projects and
resources. Create and manage IAM access control policies for your organization and
projects. This control may prevent adversaries that try to discover resources by placing a
limit on discovery of these resources with least privilege.
- category: Detect
value: Minimal
comments: >-
GCP allows configuration of account policies to enable logging and IAM permissions and
roles that may detect compromised user attempts to discover infrastructure and resources.
- id: T1562
name: Impair Defenses
technique-scores:
- category: Protect
value: Partial
comments: >-
An adversary may disable cloud logging capabilities and integrations to limit what data is
collected on their activities and avoid detection. GCP allows configuration of account
policies to enable logging and IAM permissions and roles to determine your ability to
access audit logs data in Google Cloud resources.
- id: T1562.007
name: Disable or Modify Cloud Firewall
technique-scores:
- category: Protect
value: Partial
comments: >+
This control adopts the security principle of least privilege, which grants necessary
access to user's resources when justified and needed. This control manages access control
and ensures proper user permissions are in place to prevent adversaries that try to modify
and/or disable firewall.
- category: Detect
value: Partial
comments: >-
An adversary may disable cloud logging capabilities and integrations to limit what data is
collected on their activities and avoid detection. GCP allows configuration of account
policies to enable logging and IAM permissions and roles to determine your ability to
access audit logs data in Google Cloud resources.
- id: T1562.008
name: Disable Cloud Logs
technique-scores:
- category: Protect
value: Partial
comments: >
This control adopts the security principle of least privilege, which grants necessary
access to user's resources when justified and needed. This control manages access control
and ensures proper user permissions are in place to prevent adversaries that try to modify
and/or disable cloud logging capabilities.
- id: T1087
name: Account Discovery
technique-scores:
- category: Detect
value: Minimal
comments: >-
Adversaries may attempt to get a listing of cloud accounts that are created and configured
by an organization or admin. IAM audit logging in GCP can be used to determine roles and
permissions, along with routinely checking user permissions to ensure only the expected
users have the ability to list IAM identities or otherwise discover cloud accounts.
- id: T1087.004
name: Cloud Account
technique-scores:
- category: Protect
value: Minimal
comments: >-
This control may mitigate adversaries that attempt to get a listing of cloud accounts,
such as use of calls to cloud APIs that perform account discovery.
- category: Detect
value: Minimal
comments: >-
Adversaries may attempt to get a listing of cloud accounts that are created and configured
by an organization or admin. IAM audit logging in GCP can be used to determine roles and
permissions, along with routinely checking user permissions to ensure only the expected
users have the ability to list IAM identities or otherwise discover cloud accounts.
- id: T1613
name: Container and Resource Discovery
technique-scores:
- category: Protect
value: Partial
comments: >-
Google Cloud Platform provides resource containers such as organizations, folders, and
projects that allow one to group and hierarchically organize other GCP resources. This
control may mitigate by denying direct remote access to internal systems through the use
of network proxies, gateways, and firewalls from adversaries that may attempt to discover
containers and other resources that are available within a containers environment.
- id: T1552.007
name: Container API
technique-scores:
- category: Protect
value: Minimal
comments: >-
To control access to resources, GCP requires that accounts making API requests have
appropriate IAM roles. IAM roles include permissions that allow users to perform specific
actions on Google Cloud resources. This control may mitigate adversaries that gather
credentials via APIs within a containers environment. Since this covers only one of the
sub-techniques, it is given a Minimal scoring.
- id: T1098
name: Account Manipulation
technique-scores:
- category: Protect
value: Minimal
comments: >-
GCP offers Identity and Access Management (IAM), which lets admins give more granular
access to specific Google Cloud resources and prevents unwanted access to other resources.
This allows configuration of access controls and firewalls to limit access to critical
systems and domain controllers.
- id: T1098.001
name: Additional Cloud Credentials
technique-scores:
- category: Protect
value: Minimal
comments: >-
GCP offers Identity and Access Management (IAM), which lets admins give more granular
access to specific Google Cloud resources and prevents unwanted access to other resources.
This allows configuration of access controls and firewalls to limit access to critical
systems and domain controllers.
- id: T1078
name: Valid Accounts
technique-scores:
- category: Protect
value: Minimal
comments: >-
Adversaries may attempt to obtain credentials of existing account through privilege
escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and
permissions, along with routinely checking user permissions to ensure only the expected
users have the ability to list IAM identities or otherwise discover cloud accounts.
- id: T1078.004
name: Cloud Accounts
technique-scores:
- category: Protect
value: Minimal
comments: >-
Adversaries may attempt to obtain credentials of existing account through privilege
escalation or defense evasion. IAM audit logging in GCP can be used to determine roles and
permissions, along with routinely checking user permissions to ensure only the expected
users have the ability to list IAM identities or otherwise discover cloud accounts.
- id: T1562.001
name: Disable or Modify Tools
technique-scores:
- category: Protect
value: Partial
comments: >-
This control adopts the security principle of least privilege, which grants necessary
access to user's resources when justified and needed. This control manages access control
and ensures proper user permissions are in place to prevent adversaries that try to modify
and/or disable security tools.
- id: T1562.002
name: Disable Windows Event Logging
technique-scores:
- category: Protect
value: Partial
comments: >
This control adopts the security principle of least privilege, which grants necessary
access to user's resources when justified and needed. This control manages access control
and ensures proper user permissions are in place to prevent adversaries that try to
interfere with logging.
references:
- 'https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy'