catalog logoThe IAM Privilege Catalog

risks / Policy discovery

Description

Allows an attacker to read access-control policies. May allow an attacker to focus attacks on policy weak points (e.g. overprovisioned accounts, or unsecured infrastructure).

Risk: LOW

This risk may assist in additional attacks, or gain access to confidential data that do not create organizational risk on their own.

Mitigations

  1. Avoid overprovisioned entitlements

Links

  1. https:/​/​attack.mitre.org/​techniques/​T1069/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

appengine.instances.enableDebug
appengine.operations.get
appengine.operations.list
appengine.services.get
appengine.services.list
appengine.versions.get
appengine.versions.list
bigquery.connections.getIamPolicy
bigquery.dataPolicies.get
bigquery.dataPolicies.getIamPolicy
bigquery.dataPolicies.list
bigquery.datasets.getIamPolicy
bigquery.datasets.listEffectiveTags
bigquery.datasets.listTagBindings
bigquery.rowAccessPolicies.get
bigquery.rowAccessPolicies.getIamPolicy
bigquery.rowAccessPolicies.list
bigquery.tables.getIamPolicy
billing.accounts.getIamPolicy
cloudbuild.connections.getIamPolicy
cloudfunctions.functions.get
cloudfunctions.functions.getIamPolicy
cloudfunctions.functions.list
cloudfunctions.operations.get
cloudfunctions.operations.list
cloudkms.cryptoKeys.getIamPolicy
cloudkms.ekmConfigs.getIamPolicy
cloudkms.ekmConnections.getIamPolicy
cloudkms.importJobs.getIamPolicy
cloudkms.keyRings.getIamPolicy
cloudkms.keyRings.listEffectiveTags
cloudkms.keyRings.listTagBindings
cloudsql.instances.get
cloudsql.instances.list
cloudsql.instances.listEffectiveTags
cloudsql.instances.listTagBindings
compute.backendBuckets.getIamPolicy
compute.backendServices.getIamPolicy
compute.disks.getIamPolicy
compute.disks.listEffectiveTags
compute.disks.listTagBindings
compute.firewallPolicies.get
compute.firewallPolicies.getIamPolicy
compute.firewallPolicies.list
compute.globalNetworkEndpointGroups.getIamPolicy
compute.images.getIamPolicy
compute.images.listEffectiveTags
compute.images.listTagBindings
compute.instances.create
compute.instances.get
compute.instances.getEffectiveFirewalls
compute.instances.getIamPolicy
compute.instances.list
compute.instances.listEffectiveTags
compute.instances.listTagBindings
compute.instances.osAdminLogin
compute.instances.osLogin
compute.networkEndpointGroups.getIamPolicy
compute.networks.getEffectiveFirewalls
compute.networks.getRegionEffectiveFirewalls
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.listEffectiveTags
container.clusters.listTagBindings
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
dataproc.clusters.getIamPolicy
dns.managedZones.getIamPolicy
dns.policies.getIamPolicy
dns.responsePolicies.get
dns.responsePolicies.list
dns.responsePolicyRules.get
dns.responsePolicyRules.list
domains.registrations.getIamPolicy
domains.registrations.listEffectiveTags
domains.registrations.listTagBindings
firebaserules.rulesets.get
iam.roles.get
iam.roles.list
iam.serviceAccounts.getIamPolicy
iap.tunnel.getIamPolicy
iap.tunnelDestGroups.getIamPolicy
iap.tunnelInstances.getIamPolicy
iap.tunnelLocations.getIamPolicy
iap.tunnelZones.getIamPolicy
iap.web.getIamPolicy
iap.webServiceVersions.getIamPolicy
iap.webServices.getIamPolicy
iap.webTypes.getIamPolicy
pubsub.schemas.getIamPolicy
pubsub.snapshots.getIamPolicy
pubsub.subscriptions.getIamPolicy
pubsub.topics.getIamPolicy
recommender.cloudAssetInsights.get
recommender.cloudAssetInsights.list
recommender.iamPolicyInsights.get
recommender.iamPolicyInsights.list
recommender.iamPolicyRecommendations.get
recommender.iamPolicyRecommendations.list
resourcemanager.projects.getIamPolicy
resourcemanager.tagkeys.getIamPolicy
resourcemanager.tagvalues.getIamPolicy
run.jobs.getIamPolicy
run.jobs.listEffectiveTags
run.jobs.listTagBindings
run.services.get
run.services.getIamPolicy
run.services.list
run.services.listEffectiveTags
run.services.listTagBindings
secretmanager.secrets.getIamPolicy
storage.buckets.getIamPolicy
storage.buckets.listEffectiveTags
storage.buckets.listTagBindings
storage.objects.getIamPolicy

© 2023–present P0 Security and contributors to the IAM Privilege Catalog