catalog logoThe IAM Privilege Catalog

risks / Spend

Description

Allows an attacker to cause increased infrastructure spend, without benefit to the attacker.

Risk: MEDIUM

Exploited in isolation, this risk has the potential to create operational burden or monetary costs, or access organizational secrets.

Mitigations

  1. Add billing plan limits

Links

    (No links for this risk)

Affected Privileges

An attacker may be able to exploit this risk if they gain any of the following privileges:

Google Cloud Platform

apikeys.keys.create
apikeys.keys.undelete
appengine.applications.create
appengine.memcache.addKey
appengine.versions.create
appengine.versions.update
bigquery.capacityCommitments.create
bigquery.capacityCommitments.delete
bigquery.capacityCommitments.update
bigquery.connections.create
bigquery.models.create
bigquery.reservations.create
bigquery.reservations.delete
bigquery.reservations.update
bigquery.tables.createIndex
bigquery.tables.createSnapshot
bigquery.tables.deleteIndex
bigquery.transfers.update
billing.accounts.move
billing.accounts.update
billing.resourceAssociations copy.create
cloudbuild.builds.create
cloudbuild.workerpools.update
cloudbuild.workerpools.use
cloudfunctions.functions.call
cloudfunctions.functions.create
cloudfunctions.functions.invoke
cloudfunctions.functions.sourceCodeSet
cloudfunctions.functions.update
cloudkms.cryptoKeyVersions.create
cloudkms.cryptoKeyVersions.restore
cloudkms.cryptoKeyVersions.useToDecrypt
cloudkms.cryptoKeyVersions.useToDecryptViaDelegation
cloudkms.cryptoKeyVersions.useToEncrypt
cloudkms.cryptoKeyVersions.useToEncryptViaDelegation
cloudkms.cryptoKeyVersions.useToSign
cloudkms.cryptoKeyVersions.useToVerify
cloudkms.importJobs.create
cloudsql.backupRuns.create
cloudsql.databases.create
cloudsql.instances.clone
cloudsql.instances.create
cloudsql.instances.promoteReplica
cloudsql.instances.update
compute.autoscalers.create
compute.autoscalers.update
compute.commitments.create
compute.commitments.update
compute.commitments.updateReservations
compute.disks.addResourcePolicies
compute.disks.create
compute.disks.resize
compute.instanceGroupManagers.create
compute.instanceGroupManagers.update
compute.instances.addResourcePolicies
compute.instances.create
compute.instances.removeResourcePolicies
compute.instances.resume
compute.instances.start
compute.instances.startWithEncryptionKey
compute.instances.update
compute.interconnects.create
compute.interconnectsAttachments.create
compute.networks.mirror
compute.packetMirrorings.create
compute.packetMirrorings.update
container.clusters.create
container.clusters.update
container.daemonSets.create
container.daemonSets.update
container.deployments.create
container.deployments.update
container.deployments.updateScale
container.jobs.create
container.jobs.update
container.pods.create
container.replicaSets.create
container.replicaSets.update
container.replicaSets.updateScale
container.statefulSets.create
container.statefulSets.update
container.statefulSets.updateScale
dataproc.clusters.create
dataproc.clusters.start
dataproc.clusters.update
dataproc.clusters.use
datastore.entities.create
datastore.entities.delete
datastore.entities.get
datastore.entities.list
datastore.entities.update
datastore.indexes.create
datastore.indexes.update
datastore.operations.cancel
dns.managedZones.create
domains.registrations.create
iam.serviceAccounts.create
iam.serviceAccounts.enable
iam.serviceAccounts.undelete
logging.buckets.write
logging.exclusions.delete
logging.logEntries.create
logging.logEntries.route
logging.queries.create
logging.sinks.create
logging.views.create
pubsub.snapshots.create
pubsub.subscriptions.create
pubsub.topics.create
resourcemanager.projects.create
resourcemanager.projects.undelete
run.jobs.run
run.jobs.runWithOverrides
run.jobs.update
run.services.create
run.services.update
serviceusage.quotas.update
serviceusage.services.use
storage.buckets.create
storage.multipartUploads.create
storage.objects.create

© 2023–present P0 Security and contributors to the IAM Privilege Catalog