GWS_GROUP_MANAGER

Summary

FSProtect ACL Alias

GWS_GROUP_MANAGER

GWS Alias

Group Manager

Affected Object Types

GWS Group

Exploitation Certainty

Certain

Description

GWS_GROUP_MANAGER is a structural edge representing that an identity is a manager of a Google Workspace Group. Group managers occupy the second tier of group authority: they can add and remove members, approve membership requests, and promote existing members to MANAGER. A manager cannot assign the OWNER role, delete the group, or modify group-level settings.

If the group is bound to GCP IAM roles, a manager can add a controlled identity as a member to immediately inherit those permissions. The full escalation chain requires only a single API call: GWS_GROUP_MANAGER → GWS_ADD_GROUP_MEMBER → GCP IAM access.

Manager accounts are frequently overlooked during security reviews because alert policies typically focus on ownership changes. A manager foothold also persists through group ownership transfers — existing manager assignments are not automatically revoked when a group's owner is changed or removed. If the target group is bound to organization-level or folder-level GCP IAM roles, a single manager foothold can yield access across every project in the organization.

Group membership changes by a manager are recorded only in Google Workspace audit logs. Member additions via the Groups UI route to the groups_enterprise stream; additions via the Admin API route to the admin stream. The GCP setIamPolicy event is never triggered.

Identification

gcloud CLI

# Find all GCP-bound groups across the organization
gcloud asset search-all-iam-policies \
    --scope='organizations/ORG_ID' \
    --query='memberTypes:group' \
    --format="table(resource, policy.bindings[].role, policy.bindings[].members)"

# List all members with MANAGER role in a group
GROUP_EMAIL="[email protected]"
gcloud identity groups memberships list \
  --group-email=$GROUP_EMAIL \
  --format="table(preferredMemberKey.id, roles[0].name)" \
  | grep MANAGER

Google Admin Console

Open Google Admin Console (admin.google.com) → Directory → Groups.
Click on the target group → Members tab.
Filter by Role: Manager to list all group managers.

Exploitation

# As a group manager, add attacker-controlled identity as member to inherit GCP IAM
GROUP_EMAIL="[email protected]"
gcloud identity groups memberships add \
  --group-email=$GROUP_EMAIL \
  [email protected] \
  --roles=MEMBER

# Wait 1-5 minutes for GCP IAM propagation
gcloud projects list
gcloud compute instances list --project=TARGET_PROJECT

Mitigation

Convert GCP-bound groups to security groups — restricts all membership management to Super Admins only:
```
gcloud identity groups update GROUP_EMAIL \
  --labels=cloudidentity.googleapis.com/groups.security=''
```
Minimize managers — assign the MANAGER role only when membership delegation is genuinely required. Audit and revoke unnecessary manager assignments regularly.

Audit manager assignments on GCP-bound groups:

gcloud identity groups memberships list \
  --group-email=SENSITIVE_GROUP_EMAIL \
  --format="table(preferredMemberKey.id, roles[0].name)" | grep MANAGER

Alert on manager-driven member additions on GCP-bound groups — specifically when the actor holds MANAGER (not OWNER or Admin), which is the operational signature of foothold exploitation.
Enable GWS audit log export to Cloud Logging — without this, groups_enterprise additions (via Groups UI) are invisible to GCP-based monitoring.

Detection

Monitor group membership changes in Google Workspace Audit Logs. Pay attention to member additions performed by accounts that hold MANAGER rather than OWNER — these are the signature of manager foothold exploitation.

Google Admin Console

Open Google Admin Console (admin.google.com) → Reporting → Audit and investigation → Groups Enterprise log events.
Filter by Event Name: Add member or Update member (role change to MANAGER).
Check the Actor field — if the actor holds MANAGER (not OWNER or Admin), the foothold is actively being exploited.

Cloud Logging (GCP)

# Monitor all group member additions and MANAGER role assignments
gcloud logging read \
  'logName="organizations/ORG_ID/logs/cloudaudit.googleapis.com%2Factivity" AND protoPayload.serviceName="admin.googleapis.com" AND protoPayload.methodName="google.admin.AdminService.addGroupMember"' \
  --format="table(timestamp, protoPayload.authenticationInfo.principalEmail, protoPayload.request.groupKey, protoPayload.request.memberKey)"

References

https://www.netspi.com/blog/technical-blog/cloud-pentesting/escalating-privileges-in-google-cloud-via-open-groups/
https://cloud.google.com/iam/docs/groups-in-cloud-console
https://developers.google.com/admin-sdk/directory/reference/rest/v1/members
https://cloud.google.com/identity/docs/reference/rest/v1/groups.memberships
https://cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview
https://developers.google.com/workspace/admin/reports/v1/appendix/activity/groups-enterprise
https://support.google.com/a/answer/167430

PreviousGWS_GRANT_ROLE NextGWS_GROUP_OWNER

Last updated 6 days ago

Was this helpful?