Denial-of-service

The IAM Privilege Catalog

risks / Denial-of-service

Description

Allows an attacker to disrupt an organization's operations. When applied to critical systems, can disable an organization's core systems.

Risk: HIGH

Exploited in isolation, this risk has the potential to disrupt ancillary organization operations, cause reputational damage, or run afoul of compliance requirements.

Mitigations

Redundant infrastructure
Rate limiting

Links

https://attack.mitre.org/techniques/T1499/

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

apikeys.keys.delete

apikeys.keys.update

appengine.applications.update

appengine.instances.delete

appengine.memcache.flush

appengine.services.delete

appengine.services.update

appengine.versions.delete

bigquery.config.update

bigquery.dataPolicies.create

bigquery.dataPolicies.update

bigquery.rowAccessPolicies.create

bigquery.rowAccessPolicies.update

bigquery.tables.deleteIndex

bigquery.transfers.update

billing.accounts.close

billing.accounts.removeFromOrganization

billing.accounts.updatePaymentInfo

billing.resourceAssociations copy.delete

cloudbuild.builds.approve

cloudbuild.builds.create

cloudbuild.builds.update

cloudbuild.connections.delete

cloudbuild.connections.update

cloudbuild.repositories.accessReadWriteToken

cloudbuild.repositories.delete

cloudbuild.workerpools.delete

cloudbuild.workerpools.update

cloudfunctions.functions.call

cloudfunctions.functions.invoke

cloudfunctions.functions.sourceCodeSet

cloudfunctions.functions.update

cloudkms.cryptoKeyVersions.update

cloudkms.ekmConfigs.update

cloudkms.ekmConnections.update

cloudsql.instances.demoteMaster

cloudsql.instances.failover

cloudsql.instances.import

cloudsql.instances.resetSslConfig

cloudsql.instances.restart

cloudsql.instances.rotateServerCa

cloudsql.instances.update

cloudsql.sslCerts.delete

compute.globalNetworkEndpointGroups.use

compute.healthChecks.create

compute.healthChecks.update

compute.healthChecks.use

compute.healthChecks.useReadOnly

compute.httpHealthChecks.create

compute.httpHealthChecks.update

compute.httpHealthChecks.use

compute.httpHealthChecks.useReadOnly

compute.httpsHealthChecks.create

compute.httpsHealthChecks.update

compute.httpsHealthChecks.use

compute.httpsHealthChecks.useReadOnly

compute.instances.addResourcePolicies

compute.instances.removeResourcePolicies

compute.instances.reset

compute.instances.setMachineResources

compute.instances.setMachineType

compute.instances.setMinCpuPlatform

compute.instances.simulateMaintenanceEvent

compute.instances.stop

compute.instances.suspend

compute.interconnects.update

compute.interconnectsAttachments.update

compute.networkEndpointGroups.use

compute.networks.setFirewallPolicy

datastore.indexes.delete

datastore.indexes.update

dns.gkeClusters.bindDNSResponsePolicy

dns.gkeClusters.bindPrivateDNSZone

dns.managedZones.delete

dns.managedZones.update

dns.networks.bindDNSResponsePolicy

dns.networks.bindPrivateDNSPolicy

dns.networks.bindPrivateDNSZone

dns.networks.targetWithPeeringZone

dns.policies.delete

dns.policies.update

dns.resourceRecordSets.delete

dns.resourceRecordSets.update

dns.responsePolicies.delete

dns.responsePolicies.update

dns.responsePolicyRules.create

dns.responsePolicyRules.delete

dns.responsePolicyRules.update

domains.operations.cancel

domains.registrations.configureDns

iam.serviceAccountKeys.delete

iam.serviceAccountKeys.disable

iam.serviceAccounts.delete

iam.serviceAccounts.disable

iap.projects.updateSettings

iap.tunnelDestGroups.delete

iap.tunnelDestGroups.update

iap.webServiceVersions.updateSettings

iap.webServices.updateSettings

iap.webTypes.updateSettings

pubsub.schemas.attach

pubsub.schemas.commit

pubsub.schemas.delete

pubsub.schemas.rollback

pubsub.snapshots.delete

pubsub.snapshots.update

pubsub.subscriptions.delete

pubsub.subscriptions.update

pubsub.topics.delete

pubsub.topics.detachSubscription

pubsub.topics.publish

pubsub.topics.update

resourcemanager.projects.createBillingAssignment

resourcemanager.projects.deleteBillingAssignment

resourcemanager.projects.move

run.executions.delete

run.jobs.delete

run.jobs.update

run.services.delete

run.services.update

secretmanager.secrets.delete

secretmanager.secrets.update

secretmanager.versions.add

secretmanager.versions.destroy

secretmanager.versions.disable

secretmanager.versions.enable

serviceusage.quotas.update

serviceusage.services.disable

storage.buckets.delete

storage.hmacKeys.delete

storage.hmacKeys.update

storage.multipartUploads.abort

storage.objects.delete

© 2023–present P0 Security and contributors to the IAM Privilege Catalog