GWS_IN_GROUP

Summary

FSProtect ACL Alias

GWS_IN_GROUP

GCP Alias

Entity Relation (Structural)

Affected Object Types

Users, Service Accounts, Groups

Exploitation Certainty

Certain

Description

GWS_IN_GROUP is a structural edge representing that a GCP identity (user or service account) is a member of a Google Group. Google Groups are used in GCP IAM as a way to grant roles to many identities at once — instead of binding a role directly to each user, a role is bound to a group, and all group members inherit the permissions.

Key properties:

A single identity can be a member of multiple groups.
Group membership is managed in Google Workspace (or Cloud Identity), not directly in GCP IAM — it is not visible in the GCP IAM console by default.
Groups can be nested: a group can be a member of another group, creating transitive membership chains.
External users (Gmail addresses, federated identities) can be added to Google Groups.

Identification

GCP Console

Open Google Admin Console (admin.google.com) → Directory → Groups.
Search for groups with GCP IAM bindings.
Review group membership — any member inherits all GCP IAM roles bound to the group.
In GCP Console → IAM & Admin → IAM, group bindings appear as Group under Type column.

gcloud CLI

# List all members of a specific group
GROUP_EMAIL="[email protected]"
gcloud identity groups memberships list \
  --group-email=$GROUP_EMAIL \
  --format="table(preferredMemberKey.id, roles[0].name)"

Exploitation

There is no direct exploit path for this edge. GWS_IN_GROUP indicates that an identity is a member of a group, representing a relationship rather than an exploitable permission. The privileges inherited through group membership depend on what permissions are assigned to that group.

Mitigation

No specific mitigation is required for this edge, as it represents a membership relationship. However, organizations should regularly audit group memberships to ensure only authorized identities are members of sensitive groups.

Detection

Detect group membership changes in audit logs.

Open Google Admin Console (admin.google.com) → Groups Enterprise Log Events → Group Enterprise Log Events.
Look for membership changes for groups.

Alert on:

External member addition to a group that holds GCP IAM roles.
Group membership changes for groups with IAM bindings.
Membership additions outside business hours or from unexpected admin accounts.

References

https://cloud.google.com/iam/docs/groups-in-cloud-console

PreviousGWS_GROUP_OWNER NextGWS_RESET_PASSWORD

Last updated 7 days ago

Was this helpful?