catalog logoThe IAM Privilege Catalog

services / Google Cloud / Compute Engine managed instances

Create and alter managed instances.

Allows access to general core VM infrastructure, which can support a broad array of organizational functions. Note that the terms "instance" and "VM" are interchangeable within the compute engine documentation, although may have semantic differences within these privileges.

compute.​instances.​updateNetworkInterface

Allows alteration of the instance's joined network (for example, the instance can be moved to a different VPC), external IP addresses, and DNS records. May allow access to infrastructure on new networks. Further access depends on this and other instance's firewall rules.

Risks

  1. Privilege escalation (CRITICAL)
  2. Network destruction (HIGH)
  3. Lateral movement (BOOST)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​compute/​docs/​instances
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​instances
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​instances

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog