catalog logoThe IAM Privilege Catalog

risks / Infrastructure destruction

Description

Allows an attacker to delete infrastructure. May cause interruption of services (including central operations of the organization). Can be similar in effect to a denial of service.

Risk: HIGH

Exploited in isolation, this risk has the potential to disrupt ancillary organization operations, cause reputational damage, or run afoul of compliance requirements.

Mitigations

  1. Define infrastructure as code

Links

    (No links for this risk)

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

appengine.services.delete
appengine.versions.delete
bigquery.connections.delete
bigquery.connections.update
bigquery.models.delete
bigquery.reservationAssignments.delete
bigquery.routines.delete
bigquery.routines.update
bigquery.savedqueries.delete
bigquery.savedqueries.update
bigquery.tables.deleteIndex
bigquery.tables.update
cloudfunctions.functions.delete
cloudsql.databases.delete
cloudsql.instances.delete
compute.addresses.delete
compute.addresses.deleteInternal
compute.addresses.setLabels
compute.autoscalers.delete
compute.autoscalers.update
compute.backendBuckets.delete
compute.backendBuckets.deleteSignedUrlKey
compute.backendBuckets.update
compute.backendServices.delete
compute.backendServices.deleteSignedUrlKey
compute.backendServices.update
compute.disks.delete
compute.disks.removeResourceBindings
compute.disks.setLabels
compute.disks.stopAsyncReplication
compute.disks.stopGroupAsyncReplication
compute.disks.update
compute.externalVpnGateways.setLabels
compute.firewallPolicies.update
compute.forwardingRules.pscSetLabels
compute.forwardingRules.setLabels
compute.globalAddresses.setLabels
compute.globalForwardingRules.pscSetLabels
compute.globalForwardingRules.setLabels
compute.healthChecks.update
compute.httpHealthChecks.update
compute.httpsHealthChecks.update
compute.images.update
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.update
compute.instanceGroups.delete
compute.instances.delete
compute.instances.detachDisk
compute.instances.setDeletionProtection
compute.instances.setDiskAutoDelete
compute.instances.setLabels
compute.instances.setName
compute.instances.setServiceAccount
compute.instances.update
compute.instances.updateShieldedInstanceConfig
compute.instances.updateShieldedVmConfig
compute.interconnects.delete
compute.interconnects.setLabels
compute.interconnectsAttachments.setLabels
container.apiServices.delete
container.clusters.delete
container.clusters.update
container.daemonSets.delete
container.daemonSets.update
container.deployments.delete
container.deployments.rollback
container.deployments.update
container.deployments.updateScale
container.jobs.delete
container.jobs.update
container.namespaces.delete
container.nodes.delete
container.pods.attach
container.pods.delete
container.replicaSets.delete
container.replicaSets.update
container.replicaSets.updateScale
container.secrets.delete
container.secrets.update
container.serviceAccounts.delete
container.serviceAccounts.update
container.statefulSets.delete
container.statefulSets.update
container.statefulSets.updateScale
dataproc.clusters.delete
datastore.indexes.delete
domains.registrations.configureManagement
domains.registrations.delete
firebase.projects.delete
logging.links.delete
logging.queries.delete
logging.queries.update
logging.queries.updateShared
logging.sinks.delete
logging.views.delete
pubsub.schemas.delete
resourcemanager.projects.delete
run.jobs.delete
run.revisions.delete
run.services.delete
storage.buckets.delete

© 2023–present P0 Security and contributors to the IAM Privilege Catalog