Privilege escalation

The IAM Privilege Catalog

risks / Privilege escalation

Description

Allows an attacker to either access an account with more sensitive privileges (e.g. an admin-specific account), or add these privileges to an account under the attacker's control.

Risk: CRITICAL

Exploited in isolation, this risk has the potential to disrupt central organizational operations, destroy trust, or create significant liability. Alternatively, this risk gives attackers access to broadly provisioned identities that enable the above impacts (such as root privilege escalation risks).

Mitigations

Avoid use of admin or root accounts
Securely store admin and root account credentials
Scan for insecurely stored account credentials
Use ephemeral entitlement grants for sensitive operations
Apply permission boundaries to identity entitlements

Links

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Amazon Web Services

Google Cloud Platform

apikeys.keys.getKeyString

bigquery.connections.setIamPolicy

bigquery.dataPolicies.setIamPolicy

bigquery.datasets.createTagBinding

bigquery.datasets.deleteTagBinding

bigquery.datasets.setIamPolicy

bigquery.datasets.updateTag

bigquery.rowAccessPolicies.setIamPolicy

bigquery.tables.setCategory

bigquery.tables.setIamPolicy

bigquery.tables.updateTag

billing.accounts.setIamPolicy

cloudbuild.connections.setIamPolicy

cloudfunctions.functions.setIamPolicy

cloudkms.cryptoKeys.setIamPolicy

cloudkms.ekmConfigs.setIamPolicy

cloudkms.ekmConnections.setIamPolicy

cloudkms.importJobs.setIamPolicy

cloudkms.keyRings.createTagBinding

cloudkms.keyRings.deleteTagBinding

cloudkms.keyRings.setIamPolicy

cloudsql.instances.createTagBinding

cloudsql.instances.deleteTagBinding

compute.backendBuckets.addSignedUrlKey

compute.backendBuckets.setIamPolicy

compute.backendBuckets.setSecurityPolicy

compute.backendServices.addSignedUrlKey

compute.backendServices.setIamPolicy

compute.backendServices.setSecurityPolicy

compute.disks.createTagBinding

compute.disks.deleteTagBinding

compute.disks.setIamPolicy

compute.firewallPolicies.setIamPolicy

compute.globalNetworkEndpointGroups.setIamPolicy

compute.images.createTagBinding

compute.images.deleteTagBinding

compute.images.setIamPolicy

compute.instances.addAccessConfig

compute.instances.createTagBinding

compute.instances.deleteTagBinding

compute.instances.setIamPolicy

compute.instances.updateAccessConfig

compute.instances.updateNetworkInterface

compute.networkEndpointGroups.setIamPolicy

container.clusterRoles.bind

container.clusterRoles.escalate

container.clusters.createTagBinding

container.clusters.deleteTagBinding

container.nodes.proxy

container.pods.exec

container.roles.bind

container.roles.escalate

dataproc.clusters.setIamPolicy

dns.managedZones.setIamPolicy

dns.policies.setIamPolicy

domains.registrations.createTagBinding

domains.registrations.deleteTagBinding

domains.registrations.setIamPolicy

iam.roles.update

iam.serviceAccounts.setIamPolicy

iap.tunnel.setIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.setIamPolicy

iap.tunnelZones.setIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.setIamPolicy

pubsub.schemas.setIamPolicy

pubsub.snapshots.setIamPolicy

pubsub.subscriptions.setIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.setIamPolicy

resourcemanager.tagkeys.setIamPolicy

resourcemanager.tagvalues.setIamPolicy

run.jobs.createTagBinding

run.jobs.deleteTagBinding

run.jobs.setIamPolicy

run.services.createTagBinding

run.services.deleteTagBinding

run.services.setIamPolicy

secretmanager.secrets.setIamPolicy

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.setIamPolicy

storage.objects.setIamPolicy

© 2023–present P0 Security and contributors to the IAM Privilege Catalog