Denial-of-access

The IAM Privilege Catalog

risks / Denial-of-access

Description

Allows an attacker to prevent authorized operational access. This can allow an attacker to continue system abuse.

Risk: EVASION

This risk allows an attacker to evade detection, allowing the attacker to exploit additional risks without detection, and prevent exploit remediation.

Mitigations

(No mitigations for this risk)

Links

https://attack.mitre.org/techniques/T1531/

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

appengine.applications.update

appengine.services.update

bigquery.connections.setIamPolicy

bigquery.dataPolicies.setIamPolicy

bigquery.datasets.createTagBinding

bigquery.datasets.deleteTagBinding

bigquery.datasets.setIamPolicy

bigquery.datasets.updateTag

bigquery.rowAccessPolicies.setIamPolicy

bigquery.tables.setCategory

bigquery.tables.setIamPolicy

bigquery.tables.updateTag

billing.accounts.setIamPolicy

cloudbuild.connections.setIamPolicy

cloudfunctions.functions.setIamPolicy

cloudkms.cryptoKeys.setIamPolicy

cloudkms.ekmConfigs.setIamPolicy

cloudkms.ekmConnections.setIamPolicy

cloudkms.importJobs.setIamPolicy

cloudkms.keyRings.createTagBinding

cloudkms.keyRings.deleteTagBinding

cloudkms.keyRings.setIamPolicy

cloudsql.instances.createTagBinding

cloudsql.instances.deleteTagBinding

cloudsql.users.update

compute.backendBuckets.setIamPolicy

compute.backendServices.setIamPolicy

compute.disks.createTagBinding

compute.disks.deleteTagBinding

compute.disks.setIamPolicy

compute.firewallPolicies.setIamPolicy

compute.globalNetworkEndpointGroups.setIamPolicy

compute.images.createTagBinding

compute.images.deleteTagBinding

compute.images.setIamPolicy

compute.instances.createTagBinding

compute.instances.deleteTagBinding

compute.instances.setIamPolicy

compute.networkEndpointGroups.setIamPolicy

compute.networks.setFirewallPolicy

compute.networks.updatePeering

container.clusters.createTagBinding

container.clusters.deleteTagBinding

container.pods.attach

container.pods.portForward

container.pods.proxy

dataproc.clusters.setIamPolicy

dns.managedZones.setIamPolicy

dns.policies.setIamPolicy

domains.registrations.createTagBinding

domains.registrations.deleteTagBinding

domains.registrations.setIamPolicy

firebaserules.releases.delete

firebaserules.releases.update

firebaserules.rulesets.create

iam.roles.delete

iam.roles.update

iam.serviceAccountKeys.delete

iam.serviceAccountKeys.disable

iam.serviceAccounts.setIamPolicy

iap.tunnel.setIamPolicy

iap.tunnelDestGroups.setIamPolicy

iap.tunnelInstances.setIamPolicy

iap.tunnelLocations.setIamPolicy

iap.tunnelZones.setIamPolicy

iap.webServiceVersions.setIamPolicy

iap.webServices.setIamPolicy

iap.webTypes.setIamPolicy

logging.views.delete

pubsub.schemas.setIamPolicy

pubsub.snapshots.setIamPolicy

pubsub.subscriptions.setIamPolicy

pubsub.topics.setIamPolicy

resourcemanager.projects.move

resourcemanager.projects.setIamPolicy

resourcemanager.tagkeys.setIamPolicy

resourcemanager.tagvalues.setIamPolicy

run.jobs.createTagBinding

run.jobs.deleteTagBinding

run.jobs.setIamPolicy

run.services.createTagBinding

run.services.deleteTagBinding

run.services.setIamPolicy

secretmanager.secrets.setIamPolicy

storage.buckets.createTagBinding

storage.buckets.deleteTagBinding

storage.buckets.setIamPolicy

storage.objects.setIamPolicy

© 2023–present P0 Security and contributors to the IAM Privilege Catalog