GCP Scanner v1.4 releases: A comprehensive scanner for Google Cloud

Google Cloud scanner

GCP Scanner

This is a GCP resource scanner that can help determine what level of access certain credentials possess on GCP. The scanner is designed to help security engineers evaluate the impact of a certain VM/container compromise, GCP service account or OAuth2 token key leak.

Currently, the scanner supports the following GCP resources:

  • GCE
  • GCS
  • GKE
  • App Engine
  • Cloud SQL
  • BigQuery
  • Spanner
  • Pub/Sub
  • Cloud Functions
  • BigTable
  • CloudStore
  • KMS
  • Cloud Services
  • The scanner supports SA impersonation

The scanner supports extracting and using the following types of credentials:

  • GCP VM instance metadata;
  • User credentials stored in gcloud profiles;
  • OAuth2 Refresh Token with cloud-platform scope granted;
  • GCP service account key in JSON format.

The scanner does not rely on any third-party tool (e.g. gcloud). Thus, it can be compiled as a standalone tool and used on a machine with no GCP SDK installed (e.g. a Kubernetes pod). However, please keep in mind that the only OS that is currently supported is Linux.

Please note that GCP offers Policy Analyzer to find out which principals (users, service accounts, groups, and domains), have what access to which Google Cloud resources. However, it requires specific permissions on the GCP project and the Cloud Assets API needs to be enabled. If you just have a GCP SA key, access to a previously compromised VM, or an OAUth2 refresh token, gcp_scanner is the best option to use.

Changelog v1.4

  • fix: Handle of missing iam_policy key in input JSON for visualization tool
  • fix: Use extend on crawlers to avoid replacing results
  • Viz tool: Added table view for resource page to visualization
  • Viz tool: Added regex search for Resource and RoleList pages
  • feat: Implement Compute Security Policies
  • Grammar and typos fixes
  • feat: Add support for CloudBilling resource
  • Fixing -p/-f option and printing

Install & Use

Disclaimer

This project is not an official Google project. It is not supported by Google and Google specifically disclaims all warranties as to its quality, merchantability, or fitness for a particular purpose.