catalog logoThe IAM Privilege Catalog

services / Google Cloud / IAM Roles

IAM custom roles created for use in IAM policies.

This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.

iam.​roles.​delete

Deleting a custom role is possible even when it's present in bindings. The bindings remain, but are ineffectual.

Risks

  1. Policy destruction (CRITICAL)
  2. Denial-of-access (EVASION)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​iam/​docs/​creating-​custom-​roles
  • https:​/​/​cloud.​google.​com/​iam/​docs/​reference/​rest/​v1/​projects.​roles/​delete

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog