services / Google Cloud / Compute Engine interconnect attachments

Interconnects provide connectivity between Compute Engine infrastructure and on-premises systems.

This privilege set may allow connection or disconnection of networks between multiple critical systems. To abuse creation of interconnects, multiple concurrent risks must be exploited, as abusing interconnects require access to a valid target on-premise facility, the ability to create interconnects, the ability to attach interconnects, and the ability to map interconnects to a compute router VLAN. The full set of privileges necessary to connect to a VLAN are: compute.interconnects.create, compute.interconnectAttachments.create, compute.interconnectAttachments.get, compute.routers.create, compute.routers.get, compute.routers.update.


compute.​interconnectsAttachments.​get

Exposes router IP addresses and VLAN tags.

Risks

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​network-​connectivity/​docs/​interconnect/​concepts/​overview
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​compute/​interconnects
  • https:​/​/​cloud.​google.​com/​compute/​docs/​reference/​rest/​v1/​interconnects
  • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog