catalog logoThe IAM Privilege Catalog

risks / Lateral movement

Description

Allows an attacker to gain access to additional components within a service, or to additional services within the system. Often occurs when an attacker can gain access to an additional identity (e.g., a service account) that has broader access.

Risk: BOOST

This risk allows an attacker to significantly increase the scope of an attack, or the sensitivity of accessed systems.

Mitigations

  1. Use least-privileged access
  2. Rotate service account credentials
  3. Prevent unencrypted service-account credential storage
  4. Monitor suspicious account access

Links

  1. https:/​/​attack.mitre.org/​techniques/​T1550/​

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

appengine.applications.update
appengine.instances.enableDebug
appengine.services.update
cloudbuild.builds.create
compute.addresses.use
compute.addresses.useInternal
compute.backendBuckets.use
compute.backendServices.use
compute.externalVpnGateways.use
compute.firewallPolicies.addAssociation
compute.firewallPolicies.cloneRules
compute.firewallPolicies.removeAssociation
compute.firewallPolicies.use
compute.forwardingRules.create
compute.forwardingRules.pscCreate
compute.forwardingRules.pscSetTarget
compute.forwardingRules.pscUpdate
compute.forwardingRules.setTargets
compute.forwardingRules.update
compute.forwardingRules.use
compute.globalAddresses.use
compute.globalForwardingRules.create
compute.globalForwardingRules.pscCreate
compute.globalForwardingRules.pscSetTarget
compute.globalForwardingRules.pscUpdate
compute.globalForwardingRules.setTargets
compute.globalForwardingRules.update
compute.globalForwardingRules.use
compute.globalNetworkEndpointGroups.attachNetworkEndpoints
compute.globalNetworkEndpointGroups.create
compute.instanceGroupManagers.update
compute.instanceGroupManagers.use
compute.instanceGroups.update
compute.instanceGroups.use
compute.instances.attachDisk
compute.instances.osAdminLogin
compute.instances.osLogin
compute.instances.setServiceAccount
compute.instances.setTags
compute.instances.updateNetworkInterface
compute.networkEndpointGroups.attachNetworkEndpoints
compute.networkEndpointGroups.create
container.clusterRoles.escalate
container.clusters.impersonate
container.daemonSets.create
container.daemonSets.update
container.deployments.create
container.deployments.update
container.jobs.create
container.jobs.update
container.nodes.proxy
container.pods.create
container.pods.exec
container.replicaSets.create
container.replicaSets.update
container.roles.bind
container.roles.escalate
container.serviceAccounts.createToken
container.services.proxy
container.statefulSets.create
container.statefulSets.update
iam.serviceAccountKeys.enable
iam.serviceAccounts.actAs
iam.serviceAccounts.getAccessToken
iam.serviceAccounts.getOpenIdToken
iam.serviceAccounts.implicitDelegation
iam.serviceAccounts.signBlob
iam.serviceAccounts.signJwt
serviceusage.services.enable

© 2023–present P0 Security and contributors to the IAM Privilege Catalog