gcp_scanner
A comprehensive scanner for Google Cloud.
This is a GCP resource scanner that can help determine what level of access certain credentials possess on GCP. The scanner is designed to help security engineers evaluate the impact of a certain VM/container compromise, GCP service account or OAuth2 token key leak.
Currently, the scanner supports the following GCP resources:
- GCE
- GCS
- GKE
- App Engine
- Cloud SQL
- BigQuery
- Spanner
- Pub/Sub
- Cloud Functions
- BigTable
- CloudStore
- KMS
- Cloud Services
- The scanner supports SA impersonation
The scanner supports extracting and using the following types of credentials:
- GCP VM instance metadata;
- User credentials stored in gcloud profiles;
- OAuth2 Refresh Token with cloud-platform scope granted;
- GCP service account key in JSON format.
The scanner does not rely on any third-party tool (e.g. gcloud). Thus, it can be compiled as a standalone tool and used on a machine with no GCP SDK installed (e.g. a Kubernetes pod).