GCP: Granting a project role to a @gmail.com e-mail address

[christophetd]

Background: To backdoor a project, an attacker could grant an external e-mail address permissions on the project, i.e.

gcloud projects add-iam-policy-binding [PROJECT] \
    --member user:[email protected] --role roles/editor

In an enterprise context, this is likely to be considered suspicious

[jonpulsifer]

ref https://cloud.google.com/resource-manager/docs/organization-policy/restricting-domains, this could probably be expanded to any IAM bindings containing a domain which is not the primary domain of the organization's Google Workspace account

[christophetd]

Good point for the detection part! Thanks for the input