Welcome to my blog! I write about cloud security, software development, and engineering management.
About Me#
Engineering Manager at NALA with 7+ years of full-stack development expertise and 3+ years leading high-performing teams (previously Senior Software Engineering Manager at Orca Security). Cloud architect proficient in AWS, GCP, and Azure, specializing in security, data-intensive systems, and infrastructure optimization. Driven by startup mentality and a passion for building scalable solutions while fostering innovative, collaborative engineering cultures.
Quick Links:
This follow-up demonstrates a snapshot-based bypass that complements the disk-cloning attack described earlier.
TL;DR: The legacy Basic roles/viewer is riskier than you think. It grants compute.disks.useReadOnly, which allows an attacker to clone disks (even CMEK encrypted ones) into an external project, effectively removing the CMEK encryption and bypassing specific KMS permissions you would expect to prevent this.
While Google patched the direct disk cloning bypass following my disclosure, I have discovered a new workaround using snapshots that still allows attackers to strip CMEK encryption.
...