catalog logoThe IAM Privilege Catalog

risks / Account discovery

Description

Allows an attacker to inventory system accounts. These accounts may then be further targeted for compromise to escalate access.

Risk: LOW

This risk may assist in additional attacks, or gain access to confidential data that do not create organizational risk on their own.

Mitigations

  1. Use least-privileged access
  2. Use multi-factor authentication for user accounts
  3. Rotate service-account credentials
  4. Prevent unencrypted service-account credential storage
  5. Monitor suspicious account access
  6. Remove or suspend inactive accounts

Links

  1. https:/​/​attack.mitre.org/​techniques/​T1078/​
  2. https:/​/​attack.mitre.org/​techniques/​T1087/​
  3. https:/​/​attack.mitre.org/​techniques/​T1550/​
  4. https:/​/​attack.mitre.org/​techniques/​T1552/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

bigquery.connections.getIamPolicy
bigquery.dataPolicies.getIamPolicy
bigquery.datasets.getIamPolicy
bigquery.rowAccessPolicies.getIamPolicy
bigquery.tables.getIamPolicy
billing.accounts.get
billing.accounts.getIamPolicy
billing.accounts.list
cloudbuild.connections.getIamPolicy
cloudfunctions.functions.call
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.invoke
cloudkms.cryptoKeys.getIamPolicy
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConnections.getIamPolicy
cloudkms.importJobs.getIamPolicy
cloudkms.keyRings.getIamPolicy
cloudsql.users.get
cloudsql.users.list
compute.backendBuckets.getIamPolicy
compute.backendServices.getIamPolicy
compute.disks.getIamPolicy
compute.firewallPolicies.getIamPolicy
compute.globalNetworkEndpointGroups.getIamPolicy
compute.images.getIamPolicy
compute.instances.get
compute.instances.getIamPolicy
compute.instances.getShieldedInstanceIdentity
compute.instances.getShieldedVmIdentity
compute.instances.list
compute.networkEndpointGroups.getIamPolicy
dataproc.clusters.getIamPolicy
dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
domains.registrations.getIamPolicy
iam.serviceAccounts.getIamPolicy
iap.tunnel.getIamPolicy
iap.tunnelDestGroups.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelLocations.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
pubsub.schemas.getIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.topics.getIamPolicy
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
resourcemanager.projects.getIamPolicy
resourcemanager.tagkeys.getIamPolicy
resourcemanager.tagvalues.getIamPolicy
run.jobs.getIamPolicy
run.services.getIamPolicy
secretmanager.secrets.get
secretmanager.secrets.getIamPolicy
secretmanager.secrets.list
secretmanager.versions.get
secretmanager.versions.list
storage.buckets.getIamPolicy
storage.objects.getIamPolicy

© 2023–present P0 Security and contributors to the IAM Privilege Catalog