The GCP Metadata API - Security Considerations, Vulnerabilities, and Remediations

Explore the security implications of the Google Cloud Platform (GCP) Metadata API in this BSidesSF 2020 conference talk. Delve into the differences between AWS and GCP metadata APIs, understanding the additional protections and higher stakes involved in GCP. Learn about attack vectors and defense strategies for the GCP metadata API, as well as the potential risks it poses to organizations. Gain insights into GCP's resource hierarchy, service accounts, and Kubernetes Engine. Witness demonstrations of managed service accounts, role copying, and Cloud Build credentials. Discover recommendations for enhancing security, including the use of StackDriver, event threat detection, and network monitoring. Acquire valuable knowledge to better protect your GCP environment and mitigate potential vulnerabilities associated with the metadata API.

Introduction
Who are we
What is the GCP
Example
Different Platforms
AWS Metadata API
GCP Metadata API
GCP Resource Hierarchy
Service Accounts
Kubernetes Engine
Default Service Accounts
Metadata Protections
Demo
Managed Service Accounts
Copying a Role
Cloud Build
Credentials
Demonstration
Recap
StackDriver
Event Threat Detection
Network Monitoring
Recommendations
Repost