services / Google Cloud / Compute Engine forwarding rules
Manage layer 4 port forwarding rules within a Google Cloud load balancer. Like `forwardingRules`, but for global load balancing.
Multiple organizational functions may often reside within Compute Engine. However, abuse of forwarding rules requires leveraging additional risks in VM / VPC configuration, such as sensitive data or access broadcast on open VPC ports.
compute.globalForwardingRules.pscUpdate
Can not be used to change targets. Can be used to access Google managed services when the rule already directs traffic to a target service and the attacker has access to a particular source VM.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security