catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine forwarding rules

Manage layer 4 port forwarding rules within a Google Cloud load balancer.

Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.

compute.​forwardingRules.​use

This privilege is undocumented by Google. In analogy to other .use privileges, this *may* allow connection of an existing forwarding rule to an (existing) load balancer, thereby potentially allowing access to a service. This has not been tested by the catalog maintainers.

Risks

  1. Lateral movement (BOOST)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​using-​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​protocol-​forwarding
  • https:​/​/​cloud.​google.​com/​load-​balancing/​docs/​access-​control
  • https:​/​/​cloud.​google.​com/​service-​directory/​docs/​configuring-​netlb-​in-​sd
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​forwarding-​rules
  • https:​/​/​cloud.​google.​com/​vpc/​docs/​private-​service-​connect

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog