Securing Serverless Applications Against Common Attacks on GCP
Mandiant highlights risks of publicly exposed serverless applications on Google Cloud, such as Cloud Run, lacking authentication. Exploiting vulnerabilities like LFI and command injection can lead to full cloud environment compromise, a growing concern with increased AI usage. This post details attack scenarios and provides hardening guidance, applicable to any public serverless deployment, emphasizing secure secrets management and least privilege principles for service accounts.
- →Serverless Applications: Benefits and Risks
- →Attack Vectors: Initial Access and Lateral Movement
- →Local File Inclusion (LFI) Attack Scenario
- →Code Execution/Command Injection Attack Scenario
- →Consequences of Compromised Service Accounts
Enhancements (1) ›
- Hardening Recommendations for Serverless Environments
Mandiant advises implementing hardening strategies for serverless deployments, especially those that must remain publicly accessible. Key recommendations include securing secrets management by utilizing solutions like Secret Manager and applying least privilege principles to service accounts.
Notes (5) ›
- Serverless Applications: Benefits and Risks
Serverless applications, or Function-as-a-Service (FaaS), enable scalable microservices without infrastructure management, but can be targets for attacks like LFI and command injection due to custom code and third-party packages. This is particularly relevant with the rise of AI workflows relying on serverless architectures.
- Attack Vectors: Initial Access and Lateral Movement
Publicly exposed serverless workloads can be an entry point for attackers who exploit code vulnerabilities or runtime issues. Common post-exploitation techniques include extracting secrets, analyzing application logic for further exploits, and exfiltrating service account bearer tokens to pivot to other cloud resources.
- Local File Inclusion (LFI) Attack Scenario
An example demonstrates an LFI vulnerability in a Python/Flask Cloud Run function where unvalidated user input is used to open files. Attackers can exploit this to retrieve sensitive files like source code, configuration files, or system files, revealing hardcoded secrets or enabling further attacks.
- Code Execution/Command Injection Attack Scenario
A scenario illustrates how unsanitized user input in a Python function can lead to arbitrary command execution. This can enable attackers to extract service account bearer tokens from the GCP metadata service, allowing them to impersonate the service account and potentially take over the GCP project.
- Consequences of Compromised Service Accounts
If a serverless service account has excessive permissions (e.g., Editor role), a compromised bearer token can lead to a full GCP project takeover. Attackers can then read/write/delete resources, deploy new services, access secrets, exfiltrate data, and establish persistent backdoors.
https://cloud.google.com/blog/topics/threat-intelligence/exposed-cloud-functions-harden/
Related releases
- Cloud SDK 576.0.0: BigLake, GKE, Compute Engine updates Google Cloud release notes ·
- Cloud Run Supports Public GitHub Container Registry Images Google Cloud release notes ·
- Terraform Google Provider v7.40.0: New Data Sources and Resources Terraform Google Provider Releases ·
- Claude on Google Cloud for Enterprise Production AI Google Cloud Blog ·
- Google Cloud Accelerate AI with Cloud Run Roadshow 2026 Google Cloud Blog ·
- Google Cloud: New AI, Serverless, and Infrastructure Updates Google Cloud Blog ·