The Default Toxic Combination of GCP Compute Engine Instances
By default, compute instances in GCP are prone to a toxic combination that you should be aware of, and can avoid and fix
How Attackers Can Exploit GCP’s Multicloud Workload Solution
A deep dive into the inner workings of GCP Workload Identity Federation, taking a look at risks and how to avoid misconfigurations.
The Advanced Risk of Basic Roles In GCP IAM
Basic roles in GCP allow data-level actions, even though at first glance it might seem like they don’t. Avoid using basic roles, and if you must use them, make a special effort to protect any sensitive data you store in your GCP projects.
Identity Access Management in Google Cloud Platform (GCP IAM)
An introduction for anyone getting started with GCP or even experienced professionals who are looking for a structured overview.
Hidden Risk in the Default Roles of Google-Managed Service Accounts
Some Google-managed service accounts are binded by default to a role granting access to storage.objects.read. This hidden risk is (yet another) great reason to use customer-managed KMS keys to encrypt your sensitive data stored in buckets.
The GCP Shared Responsibility Model: Everything You Need to Know
What the GCP Shared Responsibility Model is and how security teams can get started
Wayward Sheriffs and Confused Deputies: Risks in GCP Third Party Access
Most GCP third-party vendors ask for permanent service account keys for access -- increasing credential leakage risk. Used correctly, short-lived credentials offer a secure alternative.