catalog logoThe IAM Privilege Catalog

risks / Network destruction

Description

Allows an attacker to delete network components (such as endpoints, routes, VLANs, VPCs and the like). Implies denial-of-service when the network hosts a service. Removal of network firewall policies is covered by destruction:policy.

Risk: HIGH

Exploited in isolation, this risk has the potential to disrupt ancillary organization operations, cause reputational damage, or run afoul of compliance requirements.

Mitigations

  1. Network redundancy

Links

    (No links for this risk)

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

compute.externalVpnGateways.delete
compute.forwardingRules.delete
compute.forwardingRules.pscDelete
compute.forwardingRules.pscUpdate
compute.forwardingRules.update
compute.globalAddresses.delete
compute.globalAddresses.deleteInternal
compute.globalForwardingRules.delete
compute.globalForwardingRules.pscDelete
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.update
compute.globalNetworkEndpointGroups.delete
compute.globalNetworkEndpointGroups.detachNetworkEndpoints
compute.healthChecks.delete
compute.healthChecks.update
compute.httpHealthChecks.delete
compute.httpHealthChecks.update
compute.httpsHealthChecks.delete
compute.httpsHealthChecks.update
compute.instanceGroupManagers.delete
compute.instanceGroupManagers.update
compute.instanceGroups.update
compute.instances.deleteAccessConfig
compute.instances.osAdminLogin
compute.instances.simulateMaintenanceEvent
compute.instances.update
compute.instances.updateAccessConfig
compute.instances.updateNetworkInterface
compute.interconnectsAttachments.delete
compute.networkEndpointGroups.delete
compute.networkEndpointGroups.detachNetworkEndpoints
compute.networks.delete
compute.networks.removePeering
container.backendConfigs.create
container.backendConfigs.delete
container.backendConfigs.update
container.clusters.delete
container.clusters.update
container.daemonSets.update
container.deployments.update
container.endpointSlices.delete
container.endpointSlices.update
container.endpoints.delete
container.endpoints.update
container.frontendConfigs.create
container.frontendConfigs.delete
container.frontendConfigs.update
container.ingresses.delete
container.ingresses.update
container.namespaces.delete
container.replicaSets.update
container.services.delete
container.services.update
container.statefulSets.update
dns.managedZones.delete
dns.resourceRecordSets.delete
dns.responsePolicyRules.delete
iap.projects.updateSettings
iap.tunnelDestGroups.delete
iap.tunnelDestGroups.update
iap.webServiceVersions.updateSettings
iap.webServices.updateSettings
iap.webTypes.updateSettings

© 2023–present P0 Security and contributors to the IAM Privilege Catalog