catalog logoThe IAM Privilege Catalog

services / Google Cloud / Pub/Sub snapshot

A Pub/Sub snapshot captures the state of a pub/sub subscription. It retains all unacknowledged messages in the source subscription at the time of creation, and any messages published after the snapshot was created.

pubsub.​snapshots.​seek

The seek functionality allows for replay/redelivery of the messages in the snapshot. This can allow an attacker to read Pub/Sub messages, which may be sensitive.

Risks

  1. Data exfiltration (CRITICAL)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​pubsub/​docs/​replay-​overview#​seek_​to_​a_​snapshot
  • https:​/​/​cloud.​google.​com/​sdk/​gcloud/​reference/​pubsub/​snapshots/​create

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog