services / Google Cloud / Identity Aware Proxy tunnel destination groups resource type.
Refers to a particular group of VMs in you project. VMs are collected in a list of either CIDRs or FQDNs.
IAP is used to control access to cloud services. Changes to IAP related settings could remove access from mission-critical applications or grant an attacker access to sensitive resources.
iap.tunnelDestGroups.update
Updates an existing tunnel destination group. This could create a dos if an attacker deletes items from the group. It could also allow an attacker to gain access to machines by adding them to a group they have permission for.
Risks
Scope: HIGH
This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.
Links
Contributed by P0 Security
© 2023–present P0 Security and contributors to the IAM Privilege Catalog