catalog logoThe IAM Privilege Catalog

services / Google Cloud / IAM Roles

IAM custom roles created for use in IAM policies.

This is a sensitive service since it exposes information about organizational IAM policies and allows for potential manipulation of access.

iam.​roles.​update

Only custom roles can be updated. An update automatically grants additional access for principals to resources that the role is bound to. An attacker is able to grant additional permissions to a role they already have. Note that permissions are inherited by child resources. For example, updating role bound to a project can grant permissions on new services and new resources.

Risks

  1. Privilege escalation (CRITICAL)
  2. Denial-of-access (EVASION)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​iam/​docs/​creating-​custom-​roles
  • https:​/​/​cloud.​google.​com/​iam/​docs/​reference/​rest/​v1/​projects.​roles/​delete

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog