services / Google Cloud / Compute Engine forwarding rules
Manage layer 4 port forwarding rules within a Google Cloud load balancer.
Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.
compute.forwardingRules.setTargets
Can be used to escalate access when an attacker can reach the loadbalancer source endpoint.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog