Tags
CloudCI/CD
ATT&CK Tactic
Initial Access (TA0001)Credential Access (TA0006)
References
https://awsteele.com/blog/2023/01/11/improve-github-actions-oidc-security-posture-with-custom-issuer.htmlhttps://awsteele.com/blog/2021/10/12/aws-iam-oidc-idps-need-more-controls.htmlhttps://awsteele.com/blog/2021/09/15/aws-federation-comes-to-github-actions.htmlhttps://www.rezonate.io/blog/github-misconfigurations-put-gcp-aws-in-account-takeover-risk/https://www.revblock.dev/exploiting-misconfigured-google-cloud-service-accounts-from-github-actions/https://cloud.google.com/iam/docs/workload-identity-federation-with-deployment-pipelines?ref=revblock.dev#mappings-and-conditionshttps://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
Last edited
Jan 11, 2024 9:00 AM
Status
Featured
If a service (such as a GitHub action) is granted access to a cloud environment via OIDC (OpenID Connect), the corresponding service account must include conditions in its trust policy to ensure only specific services are able to impersonate it, otherwise if an attacker discovers the service account and OIDC information they could enact a confused deputy attack.