gcp-func-default-svc-acc: Google Cloud Functions Using Default Service Account

日期: 2025-08-01 | 影响软件: Google Cloud Functions | POC: 已公开

漏洞描述

Ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your functions.

PoC代码[已公开]

id: gcp-func-default-svc-acc

info:
  name: Google Cloud Functions Using Default Service Account
  author: princechaddha
  severity: medium
  description: |
    Ensure that your Google Cloud functions are configured to use user-managed service accounts instead of the default service account managed by Google Cloud in order to follow the Principle of Least Privilege (POLP) and enhance the security posture of your functions.
  impact: |
    Using default service accounts can grant more permissions than required to your functions, violating the Principle of Least Privilege and increasing security risks.
  remediation: |
    Configure your Google Cloud functions to use user-managed service accounts that have only the permissions necessary for the function to operate.
  reference:
    - https://cloud.google.com/functions/docs/securing/managing-access-iam
  tags: cloud,devops,gcp,gcloud,google-cloud-functions,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let functionDetail of iterate(template.functions)){
      set("functionName", functionDetail)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud functions list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: functions
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud functions describe $functionName --format="value(serviceConfig.serviceAccountEmail)"

    matchers:
      - type: word
        words:
          - '@appspot.gserviceaccount.com'
          - '@developer.gserviceaccount.com'
        condition: or

    extractors:
      - type: dsl
        dsl:
          - '"Default Service Account used in function: " + functionName + " in " + projectId + " project"'
# digest: 4a0a0047304502207fc6a953b87cb78ff44c19096ded2962ce2b34b8f899da6e3c028c21ed62e080022100abe481b531bf4d078a50657118954d54ced272d83f731725c10a25d24b946975:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/function/gcp-func-default-svc-acc.yaml

相关漏洞推荐