Fix broken GCP technique (#305)

* Fix GCP attack technique failing to impersonate service accounts (closes #299) * Adapt GCP attack technique error message * Update GCP docs quote
DataDog · Jan 30, 2023 · b08d3b9 · b08d3b9
1 parent fad7958
commit b08d3b9
Showing 1 changed file with 18 additions and 4 deletions.
diff --git a/v2/internal/attacktechniques/gcp/privilege-escalation/impersonate-service-accounts/main.go b/v2/internal/attacktechniques/gcp/privilege-escalation/impersonate-service-accounts/main.go
@@ -47,7 +47,21 @@ References:
 - https://cloud.google.com/iam/docs/impersonating-service-accounts
 `,
 		Detection: `
-Using GCP Admin Activity audit logs event <code>GenerateAccessToken</code>.
+Using GCP Admin Activity audit logs event <code>GenerateAccessToken</code>. 
+To get this event, you need to [enable IAM audit logs for data access activity](https://cloud.google.com/iam/docs/audit-logging#enabling_audit_logging).
+More specifically, you need to enable <code>DATA_READ</code> for your GCP project, e.g. using Terraform:
+
+` + codeBlock + `hcl
+data "google_client_config" "current" {}
+
+resource "google_project_iam_audit_config" "audit" {
+  project = data.google_client_config.current.project
+  service = "allServices"
+  audit_log_config {
+    log_type = "DATA_READ"
+  }
+}
+` + codeBlock + `
 
 Sample successful event (shortened for clarity):
 
@@ -93,9 +107,9 @@ Sample successful event (shortened for clarity):
 When impersonation fails, the generated event **does not contain** the identity of the caller, as explained in the
 [GCP documentation](https://cloud.google.com/logging/docs/audit#user-id):
 
-> For privacy reasons, the caller's principal email address is redacted from an audit log if the operation is 
-> read-only and fails with a "permission denied" error. The only exception is when the caller is a service 
-> account in the Google Cloud organization associated with the resource; in this case, the email address isn't redacted.
+> Audit logging doesn't redact the caller's principal email address for any access that succeeds or for any write operation.
+> For read-only operations that fail with a "permission denied" error, Audit Logging might redact the caller's principal 
+> email address unless the caller is a service account.
 
 Sample **unsuccessful** event (shortened for clarity):