compute.globalForwardingRules.pscSetTarget

The IAM Privilege Catalog

services / Google Cloud / Compute Engine forwarding rules

Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing.

Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.

compute.globalForwardingRules.pscSetTarget

Can be used to access Google managed services when a VM is already compromised.

Risks

Lateral movement (BOOST)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

https://cloud.google.com/load-balancing/docs/using-forwarding-rules

https://cloud.google.com/load-balancing/docs/protocol-forwarding

https://cloud.google.com/load-balancing/docs/access-control

https://cloud.google.com/service-directory/docs/configuring-netlb-in-sd

https://cloud.google.com/sdk/gcloud/reference/compute/forwarding-rules

https://cloud.google.com/vpc/docs/private-service-connect

Contributed by P0 Security

The IAM Privilege Catalog

services / Google Cloud / Compute Engine forwarding rules

compute.​globalForwardingRules.​pscSetTarget

Risks

Scope: HIGH

Links

compute.globalForwardingRules.pscSetTarget