catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​update

Certain updates can reset the machine. Most sensitive update methods (e.g. adding disks) require `.use` permissions on any added resources. However, resources (e.g. disks, network interfaces, service accounts) can generally be removed without additional permissions. However, instance scheduling and shielded-instance config can be altered without additional permissions.

Risks

  1. Data destruction (CRITICAL)
  2. Infrastructure destruction (HIGH)
  3. Network destruction (HIGH)
  4. Spend (MEDIUM)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances/​update-​instance-​properties#​updatable-​properties
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances/​update

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog